Czy aktualizacja po React2Shell (CVE-2025-56546) wystarczy, by być bezpiecznym?

Nie. Te nowe podatności (CVE-2025-55184 i CVE-2025-55183) są odrębne i wymagają dodatkowej aktualizacji do wersji Next.js i React załatanych 12 grudnia 2024. Nawet jeśli zastosowałeś poprzednią łatkę, musisz zaktualizować ponownie

Które wersje Next.js są zagrożone?

Problem dotyczy Next.js w wersjach od 13.x do najnowszych 16.x, które korzystają z App Router i React Server Components. Pages Router nie jest podatny na te konkretne CVE

Czy moje sekrety API są bezpieczne po CVE-2025-55183?

Jeśli przechowujesz klucze API, hasła i inne sekrety w zmiennych środowiskowych ( .env ) zamiast hardcodować je w kodzie, są one bezpieczne. Atakujący może jednak zobaczyć logikę biznesową Twoich Server Actions, co może pomóc w planowaniu dalszych ataków

Echoes of React2Shell: Pandora’s Box Has Been Opened - Wiadomości SecurHUB

We barely had time to cool down after the critical React2Shell error (the one with a "ten" on the CVSS scale that I wrote about earlier), and Vercel is sending notifications that are ruining our weekend coffee again.

In the security world, there is a phenomenon I call the "Flashlight Effect." When a massive hole appears in a large, popular codebase (like Next.js or React), thousands of security researchers suddenly point their beams of light right at it. Everyone wants to find "the other" vulnerability. And you know what? They just found it. Or actually – they found two.

Here is what you need to know about the new CVEs that surfaced on December 12th, and why your previous update isn't enough.

What was found in the rubble?

The collective effort of the Bug Bounty community (a collaboration between Vercel and Meta) revealed that the problem with React Server Components (RSC) runs deeper than we thought. We are dealing with two new actors on the stage:

1. CVE-2025-55184: The Loop of Death (Denial of Service)

Severity: High

This is a classic DoS attack, but with a modern twist. A malicious HTTP request sent to an App Router endpoint can cause the server process to hang, consuming 100% CPU. This happens during data deserialization. Interestingly, the bulletin mentions that the first fix for this bug was incomplete (which resulted in another number, CVE-2025-67779). This shows just how complicated this material is – even framework creators need a few tries to close the door properly.

2. CVE-2025-55183: Code Exhibitionism (Source Code Exposure)

Severity: Medium

Here the matter is less destructive, but more embarrassing. A specially crafted request can force the server to return the compiled source code of Server Actions. The good news? If you follow best practices and keep secrets (API keys, passwords) in environment variables (.env) rather than hardcoding them in .ts/.js files, you are relatively safe. The bad news? The attacker gets to know your business logic. They see how you validate data, what your edge cases are – and that is a perfect map for planning further attacks.

Why is this important?

First: Scope. The problem affects React 19 (versions 19.0.0 to 19.2.1) and Next.js (from versions 13.x all the way to the newest 16.x). If you use the App Router, you are in the crosshairs.

Second: A false sense of security. Many admins breathed a sigh of relief after patching React2Shell. However, Vercel's message is brutally clear:

"Even customers who have patched against React2Shell need to upgrade to the latest version."

This is not an optional optimization patch. It is a necessity.

A reflection for the weekend

What we are witnessing is the growing pains of React Server Components. Moving rendering logic to the server has blurred the line between frontend and backend, creating new attack vectors that we are just learning about.

Remember the principle of limited trust. Frameworks do a lot of magic for us, but when the magic fails, we are left with our hands in... the server logs.

What to do?

Don't wait until Monday. Update next and react to the latest versions (patched as of December 12th).
Audit your code for hardcoded secrets – CVE-2025-55183 does not forgive laziness.
If you host on Vercel – check the dashboard, but for peace of mind, trigger a redeploy.

Have a safe (and hopefully, finally quiet) weekend.

Aleksander

FAQ

Is the React2Shell update (CVE-2025-56546) enough to be safe?

No. These new vulnerabilities (CVE-2025-55184 and CVE-2025-55183) are separate and require an additional update to Next.js and React versions patched on December 12, 2024. Even if you applied the previous patch, you need to update again.

Which Next.js versions are affected?

The problem affects Next.js versions from 13.x to the latest 16.x that use the App Router and React Server Components. The Pages Router is not vulnerable to these specific CVEs.

Are my API secrets safe after CVE-2025-55183?

If you store API keys, passwords, and other secrets in environment variables (.env) instead of hardcoding them in your code, they are safe. However, attackers can see the business logic of your Server Actions, which can help in planning further attacks.

Sources:

Security Bulletin: CVE-2025-55184 and CVE-2025-55183 - Vercel Knowledge Base

FAQ

Is the React2Shell update (CVE-2025-56546) enough to be safe?

Which Next.js versions are affected?

The problem affects Next.js versions from 13.x to the latest 16.x that use the App Router and React Server Components. The Pages Router is not vulnerable to these specific CVEs.

Are my API secrets safe after CVE-2025-55183?

Sources: