React Server Components vulnerabilities: what IAM teams need to know

TL;DR: Three newly disclosed React Server Components vulnerabilities include a pre-auth denial-of-service condition, an incomplete fix that leaves some patched versions vulnerable, and a source-code exposure issue that can reveal hardcoded secrets, according to Orca Security. For identity and platform teams, the key lesson is that patching alone does not eliminate secret exposure or trust-assumption drift in component ecosystems.

NHIMG editorial — based on content published by Orca Security: React Server Components vulnerabilities identified after React2Shell patching

By the numbers:

• CVE-2025-55182, CVE-2025-66478, and CVE-2025-55184 were all assigned high or critical severity, including a CVSS 10.0 remote code execution issue and two CVSS 7.5 flaws.
• React Server Components versions 19.0.0 through 19.2.2 were included in the affected component set.

Questions worth separating out

Q: What breaks when React Server Components are not fully patched?

A: Two things can fail at once.

Q: Why do source-code disclosure flaws create identity risk as well as application risk?

A: Because source code often contains hardcoded API keys, tokens, certificates, and other secrets that behave like credentials once exposed.

Q: How do security teams know whether a patch for a framework flaw is actually effective?

A: They should test the fixed version in the real consuming framework, not just in isolation.

Practitioner guidance

• Verify exact package and framework versions Confirm whether react-server-dom-parcel, react-server-dom-webpack, or react-server-dom-turbopack is present, then validate the full framework stack against the fixed releases.
• Scan source and build outputs for embedded secrets Search compiled output, server functions, and CI artefacts for hardcoded API keys, tokens, certificates, and credentials.
• Build secret revocation into patch response When a framework vulnerability can expose source code, rotate any credentials that may have been embedded in affected modules and invalidate tokens that could have been copied.

What's in the full analysis

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

• Exact affected package and framework combinations across React Server Components and Next.js App Router deployments
• Vendor-provided upgrade paths for each affected branch, including the patched release numbers
• Product workflow details showing how the Orca Cloud Security Platform surfaces exposure and risk scoring in the dashboard
• The source article's remediation guidance for environments that already patched React2Shell but still need another upgrade

👉 Read Orca Security's analysis of the React Server Components vulnerabilities and patch guidance →

React Server Components vulnerabilities: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →