New vulnerabilities in React Server Components have emerged, adding to existing security concerns. Two high-severity denial-of-service (DoS) bugs, identified as CVE-2025-55184 and CVE-2025-67779, can be triggered by sending specially crafted HTTP requests to server function endpoints. These bugs can cause servers to enter an infinite loop, consuming CPU resources and denying access to users. A third vulnerability, CVE-2025-55183, exposes source code when a specific server function inadvertently converts an argument to string format, allowing attackers to leak hardcoded secrets. The React2Shell vulnerability, tracked as CVE-2025-55182, was patched on December 3 but remains problematic. Researchers have reported over 15 active intrusion attempts linked to this flaw within just 24 hours. Despite the earlier patch, servers running versions 19.0.0 through 19.2.2 of related packages remain vulnerable to the new issues. Security experts assert that many organizations have yet to patch these vulnerabilities, with over 50 organizations affected by React2Shell, including targets from North Korea and China. Meta, the company behind React, has acknowledged these vulnerabilities. Security researchers RyotaK and Shinsaku Nomura discovered the DoS bugs, while Andrew MacPherson identified the source-code exposure flaw. The implications are significant, as exploitation is ongoing and may lead to severe performance impacts for affected systems.