From 27aac372b8729992ca97f47dabc426a7356f52b3 Mon Sep 17 00:00:00 2001 From: Sebastian Sebbie Silbermann Date: Wed, 8 Apr 2026 19:46:31 +0200 Subject: [PATCH 1/2] Update blog post to include recent CVE --- ...ode-exposure-in-react-server-components.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index 70e5c2e658b..6ea503fd5c1 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -2,20 +2,20 @@ title: "Denial of Service and Source Code Exposure in React Server Components" author: The React Team date: 2025/12/11 -description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183) +description: Security researchers have found and disclosed three additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), high vulnerability Denial of Service (CVE-2026-23869), and medium vulnerability Source Code Exposure (CVE-2025-55183) --- December 11, 2025 by [The React Team](/community/team) -_Updated January 26, 2026._ +_Updated April 8th, 2026._ --- -Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. +Security researchers have found and disclosed three additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. **These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. @@ -36,13 +36,13 @@ We recommend upgrading immediately due to the severity of the newly disclosed vu If you already updated for the previous vulnerabilities, you will need to update again. -If you updated to 19.0.3, 19.1.4, and 19.2.3, [these are incomplete](#additional-fix-published), and you will need to update again. +If you updated to 19.0.4, 19.1.5, and 19.2.4, [these are incomplete](#additional-fix-published), and you will need to update again. Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. ----- -_Updated January 26, 2026._ +_Updated April 8th, 2026._ @@ -52,7 +52,7 @@ Further details of these vulnerabilities will be provided after the rollout of t These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components). -This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of: +This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.5, 19.2.0, 19.2.1, 19.2.2, 19.2.3, and 19.2.4 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) @@ -118,13 +118,13 @@ The patches published January 26th mitigate these DoS vulnerabilities. #### Additional fixes published {/*additional-fix-published*/} -The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete. +The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) were incomplete. -This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe. +This left previous versions vulnerable. Versions 19.0.5, 19.1.6, 19.2.5 are safe. ----- -_Updated January 26, 2026._ +_Updated April 8th, 2026._ @@ -132,7 +132,7 @@ _Updated January 26, 2026._ ## High Severity: Denial of Service {/*high-severity-denial-of-service*/} -**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) +**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869) **Base Score:** 7.5 (High) Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. @@ -195,6 +195,7 @@ Always verify against production bundles. * **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). * **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779). * **January 26th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864). +* **April 8th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869). --- ## Attribution {/*attribution*/} From 9ad80111cf0b6eaf2fa39f3b425dbe832be9c3f1 Mon Sep 17 00:00:00 2001 From: Sebastian Sebbie Silbermann Date: Wed, 8 Apr 2026 21:28:25 +0200 Subject: [PATCH 2/2] Same procedure as last time --- ...ulnerability-in-react-server-components.md | 28 ++++--------------- ...ode-exposure-in-react-server-components.md | 6 ++-- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index 310a8411611..f37a5543984 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -62,7 +62,7 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F These instructions have been updated to include the new vulnerabilities: -- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5) +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) - **Denial of Service - High Severity**: January 26, 2026 [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5) @@ -70,7 +70,7 @@ See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code ----- -_Updated January 26, 2026._ +_Updated April 8th, 2026._ ### Next.js {/*update-next-js*/} @@ -78,29 +78,11 @@ _Updated January 26, 2026._ All users should upgrade to the latest patched version in their release line: ```bash -npm install next@14.2.35 // for 13.3.x, 13.4.x, 13.5.x, 14.x -npm install next@15.0.8 // for 15.0.x -npm install next@15.1.12 // for 15.1.x -npm install next@15.2.9 // for 15.2.x -npm install next@15.3.9 // for 15.3.x -npm install next@15.4.11 // for 15.4.x -npm install next@15.5.10 // for 15.5.x -npm install next@16.0.11 // for 16.0.x -npm install next@16.1.5 // for 16.1.x - -npm install next@15.6.0-canary.60 // for 15.x canary releases -npm install next@16.1.0-canary.19 // for 16.x canary releases +npm install next@15.5.15 // for 15.x +npm install next@16.2.3 // for 16.x ``` -15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5 - -If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`. - -If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release: - -```bash -npm install next@14 -``` +If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) or on any Next.js 14, please upgrade to version `15.5.15`. See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index 6ea503fd5c1..632aed465c3 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -2,7 +2,7 @@ title: "Denial of Service and Source Code Exposure in React Server Components" author: The React Team date: 2025/12/11 -description: Security researchers have found and disclosed three additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), high vulnerability Denial of Service (CVE-2026-23869), and medium vulnerability Source Code Exposure (CVE-2025-55183) +description: Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. High vulnerability Denial of Service (CVE-2025-55184), and medium vulnerability Source Code Exposure (CVE-2025-55183) --- @@ -15,7 +15,7 @@ _Updated April 8th, 2026._ -Security researchers have found and disclosed three additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. +Security researchers have found and disclosed two additional vulnerabilities in React Server Components while attempting to exploit the patches in last week’s critical vulnerability. **These new vulnerabilities do not allow for Remote Code Execution.** The patch for React2Shell remains effective at mitigating the Remote Code Execution exploit. @@ -118,7 +118,7 @@ The patches published January 26th mitigate these DoS vulnerabilities. #### Additional fixes published {/*additional-fix-published*/} -The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) were incomplete. +The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete. This left previous versions vulnerable. Versions 19.0.5, 19.1.6, 19.2.5 are safe.