Inlay

ProfileReplies

We found that the fix to address the DoS vulnerability in React Server Components (CVE-2025-55184) was incomplete and does not prevent an attack in a specific case. This is disclosed as CVE-2025-67779. New patches are available now, please update immediately.

3mo

This pattern shows up across the industry, not just in JavaScript. For example, after Log4Shell, additional CVEs were reported as the community examined the original fix. Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.

The React Foundation has officially launched, hosted by the Linux Foundation. Read more here: react.dev/blog/2026/02...

Researchers have found two new vulnerabilities in React Server Components while attempting to exploit the patches last week. These are new issues, separate from the critical CVE last week. The patch for React2Shell remains effective for the Remote Code Execution exploit.

React Conf 2025 is a wrap! Check out the recap: react.dev/blog/2025/10...

It’s common for critical CVEs to uncover follow‑up vulnerabilities. When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

We disclosed two new RSC vulnerabilities: - Denial of Service (High): CVE-2025-55184 - Source Code Exposure (Medium): CVE-2025-55183 Patches are available now, please update immediately. react.dev/blog/2025/12...

There is critical vulnerability in React Server Components disclosed as CVE-2025-55182 that impacts React 19 and frameworks that use it. A fix has been published in React versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately. react.dev/blog/2025/12...

These issues are present in the patches published last week for React2Shell. Even though they do not allow for Remote Code Execution they are high severity and you should update (again) immediately. react.dev/blog/2025/12...

3mo

1mo

5mo

3mo