Your React Server Is a Target: 3 New Flaws Expose Critical Risks

When the “React 2 shell” vulnerability was disclosed, it immediately drew attention across the JavaScript and web security communities. Teams rushed to assess their exposure, apply patches, and reassure stakeholders. For many, it felt like a serious but contained incident.

That sense of closure was short-lived.

In the weeks following the initial disclosure, security researchers uncovered three additional critical vulnerabilities affecting popular React and React Native libraries. These newly assigned CVEs did not exist in isolation. They emerged precisely because the original finding put the ecosystem under intense scrutiny.

This pattern is common in security. One high-profile vulnerability acts like a spotlight, revealing deeper structural weaknesses that had gone unnoticed. In this case, that spotlight exposed flaws that affect how React servers handle requests, even in configurations developers assumed were safe.

Together, these issues reveal uncomfortable truths about supply-chain risk, defensive assumptions, and the real-world gap between “we don’t use that feature” and “we’re not vulnerable.” For organisations running React-based servers at scale, the implications are serious.

Why these react vulnerabilities matter now

React is no longer just a front-end library. Modern React applications increasingly rely on server-side rendering, server components, and backend logic running in Node.js environments. That shift expands React’s role from UI layer to infrastructure component.

As a result, vulnerabilities in React server logic are not cosmetic bugs. They can directly impact availability, confidentiality, and operational stability.

The three newly disclosed CVEs highlight how quickly a trusted dependency can turn into an attack surface. More importantly, they show how attackers can exploit assumptions that developers and security teams routinely make.

Three critical takeaways from the new react vulnerabilities

These vulnerabilities are not just follow-up issues to the original discovery. They expose systemic risks that many teams are currently underestimating.

Takeaway 1: You’re vulnerable even if you don’t use the feature

Two of the newly disclosed flaws, CVE-2025-5184 and CVE-2025-6779, are rated high severity, each with a CVSS score of 7.5. Both vulnerabilities allow an attacker to trigger a denial-of-service condition by forcing the server into an infinite loop using a specially crafted HTTP request.

The surprising part is not the DoS itself. It’s the scope of exposure. Even servers that do not actively implement React server function endpoints are still vulnerable. The attack does not depend on developers enabling or using a specific feature. The vulnerable code path can be reached regardless, simply by how the server processes incoming requests. This creates a dangerous blind spot.

Many organisations rely on configuration-based reasoning when assessing risk. If a feature is disabled or unused, it’s often assumed to be harmless. Asset inventories and automated scanners may reinforce this assumption by marking systems as “not affected” based on feature flags or routing logic. Attackers do not share that assumption.

By exploiting this flaw, an attacker can overwhelm production services with minimal effort, causing outages without authentication or advanced techniques. In practice, this means downtime, failed requests, breached SLAs, and potential financial impact. For teams operating high-traffic React servers, this kind of vulnerability turns availability into a liability overnight.

Takeaway 2: Your Hard-Coded Secrets Are at Risk

The third vulnerability, CVE-2025-5183, carries a medium severity rating with a CVSS score of 5.2. At first glance, it appears less alarming than a denial-of-service flaw, in reality, it may be more dangerous.

This vulnerability allows a specially crafted HTTP request to cause the server to return portions of its own source code. While runtime secrets stored in environment variables are not affected, any secrets hard-coded into the application are exposed. That includes API keys, service tokens, internal endpoints, and sometimes database credentials.

For an attacker, this is a gift.

Source code leakage is a powerful reconnaissance tool. Even a small snippet of code can reveal architectural decisions, third-party services in use, internal naming conventions, and trust boundaries. If a valid API key or credential is exposed, the attacker gains a foothold that extends far beyond the original server.

This is where severity ratings can be misleading. A “medium” vulnerability that leaks secrets can quickly escalate into a full breach. Once credentials are compromised, attackers can pivot laterally, access external services, exfiltrate data, or plant persistent backdoors.

In many real-world incidents, breaches do not begin with remote code execution, they begin with leaked secrets and poor isolation.

Takeaway 3: Massive Scale Amplifies the Threat

React’s popularity turns these vulnerabilities from isolated bugs into ecosystem-level risks.

With nearly two billion lifetime downloads and an average of around 20 million downloads per week, React-based servers are everywhere. That includes startups, enterprises, internal tools, customer-facing applications, and critical infrastructure services.

At this scale, attackers do not need to target individual organizations manually. Automated scanning tools can identify vulnerable servers across the internet in hours, not weeks. Once identified, exploitation can be scripted and repeated at massive scale. This dramatically shortens the remediation window.

Security teams may plan to patch during the next sprint or scheduled maintenance window. Attackers do not wait. History shows that once proof-of-concept exploits circulate, malicious activity follows quickly. That activity often includes credential harvesting, malware installation, and cryptomining.

For organisations running unpatched React servers, the question is no longer “if” but “when.”

What development teams should do immediately

These vulnerabilities reinforce several best practices that teams often acknowledge but delay in practice.

First, patch aggressively. If you are running affected versions, treat updates as urgent, not routine.

Second, assume features you do not use can still hurt you. Vulnerability assessments must consider reachable code paths, not just configured functionality.

Third, eliminate hard-coded secrets. Even if this vulnerability did not exist, hard-coded credentials are a known risk. This incident simply makes the consequences more visible.

Finally, monitor actively. Increased logging, anomaly detection, and request pattern analysis can help identify exploitation attempts before they cause widespread damage.

What these react vulnerabilities mean for your security strategy

The rapid discovery of these vulnerabilities following the original React server incident is not a coincidence. It reflects a well-established pattern in cybersecurity. When a major flaw is found in widely used software, it often signals the beginning of a broader wave of discoveries.

As one analysis aptly puts it:

In cybersecurity, it is not uncommon that when lightning strikes, you can expect it to strike again.

For development leaders, this raises a hard but necessary question. Are your dependency management, patching processes, and security assumptions strong enough for the reality of modern open-source ecosystems? Because in today’s software supply chain, lightning rarely strikes just once.

Book a penetration test with One Compliance

Patching known CVEs is important, but it doesn’t always tell you whether your production systems can be exploited in practice. The vulnerabilities described here show how assumptions about unused features and “safe” configurations can break down in real-world attacks. 

A targeted penetration test can help confirm whether these flaws or similar dependency-level issues are reachable in your environment, including attack paths your team may not be aware of. If you want clarity instead of guesswork, a penetration test is the fastest way to get it.

Book a penetration test with One Compliance today.

Book a penetration test with One Compliance

Patching known CVEs is important, but it doesn’t always tell you whether your production systems can be exploited in practice. The vulnerabilities described here show how assumptions about unused features and “safe” configurations can break down in real-world attacks. 

A targeted penetration test can help confirm whether these flaws or similar dependency-level issues are reachable in your environment, including attack paths your team may not be aware of. If you want clarity instead of guesswork, a penetration test is the fastest way to get it.

Book a penetration test with One Compliance today.