Episode III: Revenge of the React vulnerabilities

The React Server Components vulnerability, initially thought to be patched, persisted due to incomplete fixes, leading to a new wave of high-severity flaws, including Denial of Service (DoS) and source code exposure, identified by security researchers. The React2Shell exploit highlighted the insufficiency of earlier patches, resulting in three new CVEs affecting core packages like react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Many organizations believed they were safe after updating to intermediate versions, but these were still vulnerable to newly discovered DoS issues. To address these vulnerabilities comprehensively, a precise Code Search query can identify all repositories using vulnerable versions, and the final safe releases—19.0.3, 19.1.4, and 19.2.3—should be implemented. This ensures complete remediation across codebases and prevents further exploitation.