New React2Shell Offspring Patched: React Server Components (DoS) and Source Code Exposure

React Blog recently announced the discovery of two additional vulnerabilities, CVE-2025-55184 and CVE-2025-55183, in the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages, following the previously identified React2Shell vulnerability. These new vulnerabilities, while not as severe, include a Denial of Service (DoS) issue that can lead to excessive CPU resource consumption and a source code disclosure risk that could expose sensitive information if certain conditions are met. Despite their limited impact on specific application configurations, it is advised to upgrade to the patched versions of the affected packages and NextJS versions. React versions 19.0.2, 19.1.3, and 19.2.2, along with NextJS patches, address these vulnerabilities. Semgrep Supply Chain customers are protected from both the original React2Shell and the newer issues, with detection rules in place to identify them.