React Security Update: Previous Fix Was Incomplete — Patch Again Now
If you patched last week, you're still vulnerable. Here's what to do.
Remember the critical RCE vulnerability (CVE-2025-55182) from December 3rd? The one where we all scrambled to upgrade our Next.js apps?
The fix was incomplete.
On December 11th, 2025, React and Next.js teams disclosed that the patches released on December 3rd didn't fully address the security issues. If you upgraded to the "fixed" versions last week, you need to upgrade again.
What's New
Two additional vulnerabilities have been disclosed:
1. Denial of Service (CVE-2025-67779) — High Severity
CVSS Score: 7.5
A crafted HTTP request can cause an infinite loop that hangs your server process, blocking all subsequent requests. This is the incomplete fix from the original patch.
The versions released on December 3rd (React 19.0.2, 19.1.3, 19.2.2) failed to address all DoS attack vectors.
2. Source Code Exposure (CVE-2025-55183) — Medium Severity
CVSS Score: 5.3
A malicious HTTP request can expose your Server Function source code. If you have hardcoded secrets in your source (API keys, database credentials), they could be leaked.
Example of vulnerable code:
1'use server';
2
3export async function createUser(name) {
4 // BAD: Hardcoded secret in source code
5 const conn = db.createConnection('sk-secret-api-key-12345');
6 const user = await conn.createUser(name);
7
8 return {
9 id: user.id,
10 message: `Hello, ${name}!`
11 };
12}An attacker could craft a request that exposes the compiled source, revealing sk-secret-api-key-12345.
Good news: Runtime secrets via process.env.SECRET are NOT exposed by this vulnerability. Only hardcoded values in your source code are at risk.
The Good News
The RCE fix still works. The original CVE-2025-55182 (Remote Code Execution) patch remains effective. These new vulnerabilities are DoS and information disclosure — serious, but not as catastrophic as RCE.
Am I Affected?
YES, if you upgraded to these "fixed" versions last week:
| Package | Still Vulnerable Versions |
|---|---|
| React | 19.0.1, 19.0.2, 19.1.2, 19.1.3, 19.2.1, 19.2.2 |
| Next.js | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Also affected:
- Next.js 13.3+ and 14.x (yes, even stable 14!)
- Any app using React Server Components with App Router
NOT affected:
- Pages Router applications (but still recommended to upgrade)
- Apps not using React Server Components
Fix It NOW: Updated Patch Versions
Next.js — Upgrade Again
1# For Next.js 14.x (newly affected!)
2npm install next@14.2.35
3
4# For Next.js 15.0.x
5npm install next@15.0.7
6
7# For Next.js 15.1.x
8npm install next@15.1.11Canary Versions
1# For 15.x canary
2npm install next@15.6.0-canary.60
3
4# For 16.x canary
5npm install next@16.1.0-canary.19React Packages
1npm install react@19.0.3 react-dom@19.0.3
2# or
3npm install react@19.1.4 react-dom@19.1.4
4# or
5npm install react@19.2.3 react-dom@19.2.3Automated Tool
1npx fix-react2shell-nextVerify Your Fix
After upgrading, verify you have the correct versions:
1npm list next react react-domExpected output should show:
- next@14.2.35 or higher (for 14.x)
- next@15.0.7 or higher (for 15.0.x)
- react@19.0.3, 19.1.4, or 19.2.3
Quick Reference: All Patched Versions
| Release Line | Patched Version (Dec 11) |
|---|---|
| 14.x | 14.2.35 |
| 15.0.x | 15.0.7 |
| 15.1.x | 15.1.11 |
| 15.2.x | 15.2.8 |
| 15.3.x | 15.3.8 |
| 15.4.x | 15.4.10 |
| 15.5.x | 15.5.9 |
| 16.0.x | 16.0.10 |
| React | 19.0.3, 19.1.4, 19.2.3 |
Additional Steps
1. Audit Your Code for Hardcoded Secrets
Since CVE-2025-55183 can expose source code, search your codebase for hardcoded secrets:
1# Search for potential hardcoded secrets in server files
2grep -r "sk-" --include="*.ts" --include="*.tsx" --include="*.js"
3grep -r "api_key" --include="*.ts" --include="*.tsx" --include="*.js"
4grep -r "password" --include="*.ts" --include="*.tsx" --include="*.js"Move any hardcoded secrets to environment variables immediately.
2. Rotate Secrets If Exposed
If your app was running the vulnerable versions in production, assume any hardcoded secrets in Server Functions were exposed. Rotate them.
3. Monitor for DoS Attacks
Check your logs for unusual patterns:
- Requests causing high CPU usage
- Server processes hanging
- Increased response times
Timeline
- December 3, 2025: Initial CVE-2025-55182 (RCE) disclosure and patch
- December 11, 2025: Disclosure that the fix was incomplete
- December 11, 2025: CVE-2025-67779 (DoS) and CVE-2025-55183 (Source Exposure) published
- December 11, 2025: New patches released
Key Takeaways
1. Patch again — even if you patched last week
2. Next.js 14.x is now affected — not just 15+ and 16+
3. No RCE — these new CVEs are DoS and info disclosure, not code execution
4. No workaround — you must upgrade
5. Audit hardcoded secrets — move them to environment variables
Resources
- Next.js Security Update (Dec 11)
- Previous Article: CVE-2025-55182
This is the second security patch in 8 days. Keep your dependencies updated and subscribe to security advisories.
