

























Published on:
Dec 12, 2025
If you upgraded only to address CVE-2025-55182 (React2Shell), you may still be vulnerable.
CVE-2025-55184 affects adjacent RSC code paths and can allow attackers to take your app offline, even without gaining code execution. You should ensure you’re running the latest patched React and Next.js versions, including fixes for the follow-up CVE-2025-67779.
Ensure you are running the latest patched React releases that fully address both the RCE and DoS issues in the Flight protocol deserialization logic.
Because CVE-2025-55184’s initial fix was incomplete, you must confirm that:
Run a fresh scan to verify:
On December 3rd the React ecosystem was rocked by a critical remote code execution vulnerability in React Server Components, CVE-2025-55182, widely dubbed React2Shell. In our previous blog, we explored how unsafe deserialization in the RSC “Flight” protocol allowed unauthenticated attackers to send crafted HTTP requests that could lead to full server takeover in default React/Next.js apps.
Since then, as the industry rushed to patch and protect against 55182, additional weaknesses were uncovered in adjacent code paths, leading to new security advisories and CVEs. One of these is CVE-2025-55184, which while not a remote code execution flaw like React2Shell still represents a serious risk to availability.
CVE-2025-55184 is a denial-of-service vulnerability caused by unsafe handling of specially crafted input in the React Server Components runtime.
An attacker can send a malformed RSC request that:
Once triggered, the server may stop responding to legitimate traffic until restarted.
These vulnerabilities are not independent bugs:
This pattern highlights a systemic risk surface in RSC’s serialization design.
Unlike React2Shell:
But:
For many teams, downtime is just as damaging as compromise.
You may be impacted if your application:
Even if you don’t explicitly use server logic, framework defaults can still expose the vulnerable code paths.
Aikido tracks CVE-2025-55184, CVE-2025-67779, and the broader family of RSC-related vulnerabilities.
Connect your repositories to:
Start scanning for free with Aikido.
Last updated on:
Dec 12, 2025
Secure your software now
Start today, for free.
Start for Free
No CC required
4.7/5
Tired of false positives?
Try Aikido like 100k others.
Start Now
Get a personalized walkthrough
Trusted by 100k+ teams
Book Now
Scan your app for IDORs and real attack paths
Trusted by 100k+ teams
Start Scanning
See how AI pentests your app
Trusted by 100k+ teams
Start Testing
April 17, 2026
•
Vulnerabilities & Threats
Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.
#
Vulnerabilities
#
open-source
April 14, 2026
•
Vulnerabilities & Threats
Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.
April 8, 2026
•
Vulnerabilities & Threats
GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.
#
Malware
Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.
No credit card required | Scan results in 32secs.


此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。