Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

New React Vulnerabilities Expose Secrets and Invite DoS Attacks


Half of exposed React servers remain unpatched amid active exploitation, with attackers from North Korea and China abusing the "React2Shell" vulnerability, which can leak source code and cause denial-of-service attacks. Organizations must update their applications immediately to patch the bug.

  • Security researchers have identified multiple vulnerabilities in the React framework, a popular JavaScript library used for building user interfaces.
  • The newly discovered bugs allow attackers to leak sensitive information and potentially launch denial-of-service (DoS) attacks on vulnerable servers.
  • More than 50 organizations across multiple sectors have been impacted by this vulnerability, with attackers from North Korea and China exploiting the flaw.
  • The new vulnerabilities can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU.
  • One of the high-severity bugs has a CVSS score of 7.5, making it a critical vulnerability that can be exploited to launch DoS attacks and potentially leak sensitive information.
  • The severity of the issue highlights the need for organizations to take immediate action to patch their applications and ensure they are using the latest versions of React and any third-party libraries or dependencies.



    • In a recent development that has sent shockwaves through the tech community, security researchers have identified multiple vulnerabilities in the React framework, a popular JavaScript library used for building user interfaces. The newly discovered bugs allow attackers to leak sensitive information, including source code, and potentially launch denial-of-service (DoS) attacks on vulnerable servers.

    The first vulnerability, dubbed "React2Shell," was previously patched by Meta, but it has been found that the earlier fix is still vulnerable to these new bugs. This means that organizations that had already updated their React applications to patch the previous bug are now at risk again. In fact, more than 50 organizations across multiple sectors have been impacted by this vulnerability, with attackers from North Korea and China exploiting the flaw.

    The new vulnerabilities were discovered by security researchers RyotaK and Shinsaku Nomura, who reported them to Meta. The bugs can be exploited by sending a specially crafted HTTP request to any server function endpoint, causing an infinite loop that hangs the server process and consumes CPU. This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment.

    One of the high-severity bugs, tracked as CVE-2025-55184, has a Common Vulnerability Scoring System (CVSS) score of 7.5. This means that it is considered a critical vulnerability that can be exploited to launch DoS attacks and potentially leak sensitive information. The bug exists in the same packages and versions as CVE-2025-55182, which was previously patched.

    Another high-severity bug, tracked as CVE-2025-67779, also has a CVSS score of 7.5. This bug is similar to the first one, but it can be exploited by sending a specially crafted HTTP request that causes an infinite loop on the server process.

    The third vulnerability, tracked as CVE-2025-55183, has a CVSS score of 5.3. This bug requires the existence of a specific server function that explicitly or implicitly exposes an argument converted into a string format. However, assuming this exists, attackers can abuse this vulnerability via a malicious HTTP request to leak secrets hardcoded in source code.

    According to the React team, "This creates a vulnerability vector where an attacker may be able to deny users from accessing the product, and potentially have a performance impact on the server environment."

    In a statement released by Meta, the company acknowledged that the new vulnerabilities are related to the earlier patched bug. However, it also emphasized that the earlier patch was not sufficient to protect against these new bugs.

    Coalition, a security and cyber insurance shop, has likened React2Shell to the 2021 Log4Shell vulnerability, which led to hundreds of ransomware attacks. This highlights the severity of the issue and the need for organizations to take immediate action to patch their applications.

    In light of this vulnerability, it is essential for organizations that use React to update their applications to the latest versions. Moreover, they should ensure that any third-party libraries or dependencies are also up-to-date to avoid potential security breaches.

    The incident serves as a stark reminder of the importance of keeping software up-to-date and taking proactive measures to protect against emerging vulnerabilities.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/New-React-Vulnerabilities-Expose-Secrets-and-Invite-DoS-Attacks-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2025/12/12/new_react_secretleak_bugs/

  • https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/

  • https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55184

  • https://www.cvedetails.com/cve/CVE-2025-55184/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55182

  • https://www.cvedetails.com/cve/CVE-2025-55182/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-67779

  • https://www.cvedetails.com/cve/CVE-2025-67779/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-55183

  • https://www.cvedetails.com/cve/CVE-2025-55183/


    • Published: Fri Dec 12 12:36:16 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us