React2Shell patch insufficient, attacks widen
Updates to close a critical vulnerability in React servers are incomplete. More and more attackers are exploiting the leak.
(Image: Gorodenkoff/Shutterstock.com)
The patches to close a critical security vulnerability in the React server are incomplete, Meta explains. Admins should immediately apply the new updates to fix further discovered security issues, the company recommends.
In a blog post, the React developers explain that the previously released patches are vulnerable. “If you have already applied the updates for the critical vulnerability last week, you need to update again,” they write in a highlighted entry. “If you have updated to 19.0.2, 19.1.3, or 19.2.2, these [patches] are incomplete and you need to update again,” they clarify.
More vulnerabilities found
IT security researchers have thus discovered three more security vulnerabilities in the React server components when they tried to exploit the previous week's patches. The new vulnerabilities do not allow the injection and execution of malicious code, and the existing patches effectively prevent this attack, the React developers add. New are denial-of-service vulnerabilities (CVE-2025-55184, CVE-2025-67779, CVSS 7.5, risk “high”) and a vulnerability that can expose source code (CVE-2025-55183, CVSS 5.3, risk “medium”). The vulnerabilities are found in the same packages and versions as the already actively exploited security vulnerability (CVE-2025-55182, CVSS 10.0, risk “critical”).
Versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.2.2 of “react-server-dom-webpack,” “react-server-dom-parcel,” and “react-server-dom-turbopack” are affected. In versions 19.0.3, 19.1.4, and 19.2.3, the programmers have corrected the security-relevant errors.
Videos by heise
Google's Threat Intelligence team summarized findings on ongoing attacks on the vulnerability called “React2Shell” CVE-2025-55182 over the past weekend. According to this, Google observed widespread exploit attempts on many clusters shortly after the security leak became known in early December, ranging from opportunistic cybercrime to groups suspected of espionage. Google mentions espionage attempts originating from China, financially motivated activities, and also attacks from Iran. In the campaigns, the perpetrators attempted to install, among other things, Minocat tunnelers, Snowlight downloaders, Hisonic and Compood backdoors, and crypto miners. Some observations overlap with those of the IT security company Huntress and with other attacks on the vulnerability already observed.
(dmk)
