The React team has disclosed additional security vulnerabilities affecting React Server Components, discovered while researchers were testing the effectiveness of last week’s critical patch (React2Shell). While these newly identified issues do not enable Remote Code Execution, they introduce serious risks, including Denial of Service (DoS) attacks and potential source code exposure. Due to their severity, immediate upgrades are strongly recommended. Overview of the Newly Disclosed Vulnerabilities Security researchers identified two new vulnerability classes in the same React Server Components packages affected by CVE-2025-55182. High Severity: Denial of Service (DoS) CVE-2025-55184 CVE-2025-67779 CVSS Score: 7.5 (High) A maliciously crafted HTTP request sent to a Server Function endpoint can trigger an infinite loop during deserialization, causing the server process to hang and consume CPU indefinitely. Notably, even applications that do not explicitly define Server Functions may still be vulnerable if they support React Server Components. This vulnerability enables attackers to: Disrupt service availability Degrade server performance Potentially cause cascading infrastructure impact The React team has confirmed that earlier fixes were incomplete, leaving several patched versions still vulnerable until this latest release. Medium Severity: Source Code Exposure CVE-2025-55183 CVSS Score: 5.3 (Medium) Researchers discovered that certain malformed requests could cause Server Functions to return their own source code when arguments are explicitly or implicitly stringified. This may expose: Hardcoded secrets inside Server Functions Internal logic and implementation details Inlined helper functions, depending on bundler behavior Important clarification: Only source-level secrets may be exposed. Runtime secrets such as process.env.SECRET are not affected. What Is Affected and Who Needs to Take Action The newly disclosed vulnerabilities impact the same React Server Components packages as the previously reported issue, and affect a range of commonly used frameworks and bundlers. Teams should review their dependency tree carefully to determine whether an upgrade is required. Affected Packages and Versions These vulnerabilities affect the same packages and version ranges as the previously disclosed React Server Components issue. Affected packages react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Vulnerable versions 19.0.0 → 19.0.2 19.1.0 → 19.1.3 19.2.0 → 19.2.2 Fixed Versions (Required Upgrade) The React team has backported fixes to the following versions: 19.0.3 19.1.4 19.2.3 If your project uses any of the affected packages, upgrade immediately to one of the versions above. ⚠️ If you already updated last week, you still need to update again. Versions 19.0.2, 19.1.3, and 19.2.2 are not fully secure. Impacted Frameworks and Bundlers Several popular frameworks and tools depend on or bundle the vulnerable packages, including: Next.js React Router Waku @parcel/rsc @vite/rsc-plugin rwsdk Refer to your framework’s upgrade instructions to ensure the correct patched versions are installed. Who Is Not Affected Apps that do not use a server Apps not using React Server Components Apps not relying on frameworks or bundlers that support RSC React Native Considerations React Native applications that do not use monorepos or react-dom are generally not affected by these vulnerabilities. For React Native projects using a monorepo, only the following packages need to be updated if they are installed: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Upgrading these packages does not require updating react or react-dom and will not cause version mismatch issues in React Native. Recommended Solutions and Mitigation Strategy While upgrading to the fixed versions is mandatory, these vulnerabilities also expose broader weaknesses in dependency management and secret handling that teams should address to reduce future risk. Immediate Fix All affected applications should upgrade immediately to one of the patched versions: 19.0.3 19.1.4 19.2.3 Previously released patches were incomplete, and hosting provider mitigations should be considered temporary safeguards only, not a long-term solution. Updating to the fixed versions remains the only reliable mitigation. Automate Dependency Updates to Reduce Exposure Time Modern JavaScript ecosystems make it difficult to manually track security advisories across all dependencies. Using tools such as Renovate or Dependabot helps automatically detect vulnerable versions and create upgrade pull requests as soon as fixes are released. This reduces response time and lowers the risk of running partially patched or outdated packages in production. Ensure CI/CD Pipelines Can Absorb Security Upgrades Safely Frequent dependency upgrades are only safe when supported by reliable automated testing. Maintaining comprehensive CI/CD pipelines with sufficient test coverage allows teams to apply security updates quickly while minimizing the risk of breaking changes. This enables faster remediation when new vulnerabilities are disclosed. Remove Secrets from Source Code to Limit Blast Radius Secrets embedded directly in source code may be exposed if similar vulnerabilities arise again. Store secrets using managed services such as AWS SSM Parameter Store or AWS Secrets Manager Implement key rotation mechanisms without downtime Even if source code is exposed, properly managed runtime secrets significantly limit real-world impact. Why Follow-Up CVEs Are Common After Critical Disclosures It is common for critical vulnerabilities to uncover additional issues once researchers begin probing adjacent code paths. When an initial fix is released, security researchers often attempt to bypass it using variant exploit techniques. This pattern has appeared repeatedly across the industry. A well-known example is Log4Shell, where multiple follow-up CVEs were reported after the first disclosure. While additional disclosures can be frustrating, they usually indicate: Active security review Responsible disclosure A healthy patch and verification cycle Final Notes Some hosting companies set up quick fixes, yet those aren't enough on their own. Keeping dependencies updated is still a top way to stay safe from new supply-chain risks. If your application uses React Server Components, reach out to Haposoft now! We'll figure out what’s impacted while taking care of the update without mess. It means going through your dependencies one by one, making sure everything builds right in the end.

On December 3, 2025, the React team revealed a critical Remote Code Execution vulnerability in React Server Components (RSC). It affects several RSC packages and some of the most widely used React frameworks, including Next.js. A fix is already out, so the urgent step now is simply checking whether your project uses these packages—and updating to the patched versions if it does. Overview of the Vulnerability A newly reported flaw allows unauthenticated Remote Code Execution (RCE) on servers running React Server Components. Type: Unauthenticated Remote Code Execution CVE: CVE-2025-55182 (NIST , GitHub Advisory Database) Severity: CVSS 10.0 (Maximum severity) This means an attacker could execute arbitrary code on the server without any form of authentication, giving them full control of the affected environment. The issue is caused by a flaw in how React decodes payloads sent to React Server Function endpoints. A maliciously crafted HTTP request can trigger unsafe deserialization, leading to remote code execution. React will publish additional technical details once the patch rollout is fully completed. Scope of Impact Any application that supports React Server Components may be exposed, even if it never defines any Server Function endpoints. The vulnerability exists in the underlying RSC support layer used by multiple frameworks and bundlers. Your application is not vulnerable if: Your React code does not run on a server, or Your application does not use a framework, bundler, or plugin that supports React Server Components. Traditional client-only React applications are unaffected. Affected Versions and Components The vulnerability is tied to specific versions of the React Server Components packages and to the frameworks that depend on them. Identifying whether your project uses any of these versions is the first step in determining your exposure. Vulnerable Packages The issue affects the following packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Affected Frameworks and Bundlers Several frameworks that rely on these packages are also impacted, including: Next.js React Router (when using unstable RSC APIs) Waku @parcel/rsc @vitejs/plugin-rsc Redwood SDK Security Fix and Recommended Actions The React team has released patched versions, and major frameworks have issued corresponding updates. Applying these fixes promptly is the only reliable way to remove the vulnerability from affected projects. Patched Versions The React team has released fixed versions: 19.0.1 19.1.2 19.2.1 (or any version newer than these) Upgrading to a patched release is mandatory to eliminate the vulnerability. Framework Updates Framework maintainers have also published security updates. For example, Next.js users must upgrade to one of the following patched versions: next@15.0.5 next@15.1.9 next@15.2.6 next@15.3.6 next@15.4.8 next@15.5.7 next@16.0.7 Other ecosystems (React Router, Redwood, Vite plugin, Parcel, Waku, etc.) also require upgrading to their latest patched versions. What Development Teams Should Do Now We recommend the following immediate steps: Audit all projects to confirm whether React Server Components or related frameworks are in use. Check package versions for the affected libraries listed above. Upgrade to the patched versions immediately if your application falls within the impacted scope. Review deployment environments for any unusual activity (optional but advisable for security). Document and report the findings to your internal security or project stakeholders. Conclusion This vulnerability (CVE-2025-55182) is one of the most severe vulnerabilities ever disclosed within the React ecosystem, and it may impact a wide range of modern React-based applications. To maintain security and prevent potential exploitation, all teams should: Review their applications, Identify affected components, and Apply the necessary upgrades without delay. If you need a security audit or patch support within your React-based web development projects, Haposoft is ready to step in.

When you submit an app to Google Play, most early failures surface in Closed Testing, not the final review. What we share here comes from real testing practice, and it’s what made handling those failures predictable for us. What Google Play Closed Testing Is Closed Testing is where Google first checks your app using real user activity, so it matters to understand what this stage actually requires. Where Closed Testing Fits in the Submission Process When you submit an app to Google Play, it doesn’t go straight to the final review. Before reaching that stage, every build must pass through Google’s internal testing tracks—Internal Testing → Closed Testing → Open Testing. Closed Testing sits in the middle of this flow and is the first point where Google expects real usage from real users. If the app fails here, it never reaches the actual “Submit for Review” step. That’s why many teams face repeated rejections without realizing the root cause comes from this stage, not the final review. Google Play Closed Testing in Simple Terms Google Play Closed Testing is a private release track where your app is shared with a small group of testers you select. These testers install the real build you intend to ship and use it in everyday conditions. The goal is straightforward: Google wants to see whether the app behaves like a complete product when real people interact with it. In this controlled environment, Google observes how users move through your features, how data is handled, and whether the experience matches what you describe in your Play Console settings. This is essentially Google’s early check to confirm that the app is stable, transparent, and built for genuine use—not just something assembled to pass review. What Google Expects During Closed Testing The core function of Google Play Closed Testing is to verify authenticity. Google wants evidence that your app is functional, transparent, and ready for real users, not a rushed build created solely to pass review. To make this evaluation, Google looks for a few key signals: Real testers using real, active Google accounts Real usage patterns, not one-off opens or artificial interactions Consistent engagement over time, typically around 14 days for most app types Actions inside your core features, not empty screens or placeholder flows Behavior that aligns with your Data Safety, privacy details, and feature declarations Evidence that the app is “alive”, such as logs, events, and navigation patterns generated from authentic interactions Google began tightening its review standards in 2023 after more unfinished and auto-generated apps started slipping into the submission flow. Instead of relying only on manual checks, Google now leans heavily on the activity recorded during Closed Testing to understand how an app performs under real use. This gives the review team a clearer picture of stability, data handling, and readiness—making Closed Testing a much more decisive step in whether an app moves forward. Why Google Play Closed Testing Is So Hard to Pass Most teams fail Closed Testing because their testing behavior doesn’t match the actual evaluation signals Google uses. The table below compares real developer mistakes with Google’s real criteria, so you can see exactly why each issue leads to rejection. Common Issues During Testing What Google Actually Checks Teams treat Closed Testing like internal QA. Testers only tap around the interface and rarely complete real user journeys. Google checks full, natural flows. It expects onboarding → core action → follow-up action. Shallow tapping does not confirm real functionality, so Google marks the test as lacking behavioral proof. Testers open the app once or twice and stop. Most activity happens on day 1, then engagement drops to zero. Google checks multi-day usage patterns. It needs recurring activity to evaluate stability and real adoption. One-off launches look like artificial or incomplete testing → fail. Core features remain untouched because testers don’t find or understand them. Navigation confusion prevents users from triggering important flows. Google checks whether declared core features are actually used. If users don’t naturally reach those flows, Google cannot validate them → flagged as “unverified behavior.” Permissions are declared but no tester enters flows that use them. e.g., camera, location, contacts, or other data-related actions never get triggered. Google cross-checks declared permissions with real behavior. If a permission never activates during testing, Google treats the Data Safety form as unverifiable → extremely high rejection rate. Engagement collapses after the first day. Testers lose interest quickly, resulting in long periods of zero activity. Google checks consistency over time (≈14 days). When usage dies early, the system sees weak, unreliable activity that does not resemble real-world usage → rejection. Passing Google Play Closed Testing: A Real Case Study Closed Testing turned out to be far stricter than we expected. What looked like a simple pre-release step quickly became the most decisive part of the review, and our team had to learn this the hard way—through three consecutive rejections before finally getting approved. The Three Issues That Held Us Back in Closed Testing These were the three recurring problems that blocked our app from moving past Google Play’s Closed Testing stage. #Issue 1: Having Testers, but Not Enough “Real” Activity In the first attempt, we only invited one person to join the test, so the app barely generated any meaningful activity. Most of the usage stopped at simple screen opens, and none of the core features were exercised in a way Google could evaluate. With such a small and shallow pattern, the system couldn't treat it as real user participation. The build was rejected right away for not meeting the minimum level of authentic activity. #Issue 2: Misunderstanding the “14-Day Activity” Requirement For the second round, we expanded the group to twelve testers, but most of them stopped using the app after just a few days. The remaining period showed almost no engagement, which meant the full 14-day window Google expects was never actually covered. Although the number of testers looked correct, the lack of continuous usage made the test inconclusive. Google dismissed the submission because the activity dropped off too early. #Issue 3: No Evidence of Real Activity (Logs, Tracking, or Records) By the third attempt, we finally kept twelve testers active for the entire duration, but we failed to capture what they did. There were no logs showing feature flows, no tracking to confirm event sequences, and no recordings for actions tied to sensitive permissions. From Google's viewpoint, the numbers in the dashboard had nothing to support them. Without verifiable evidence, the review team treated the activity as unreliable and rejected the build again. What Finally Helped Us Pass Google Play Closed Testing To fix the issues in the earlier attempts, the team reorganized the entire test instead of adding more testers at random. Everything was structured so Google could see consistent, authentic behaviour from real users. A larger tester group created a more reliable activity curve The previous rounds didn’t generate enough meaningful activity, so we increased the number of people involved. The larger group created a more natural engagement pattern that gave Google more complete usage signals to review. Extending the testing period from 14 to 17 consecutive days To avoid the early drop-off that hurt our earlier attempts, we kept the test running a little longer than the minimum 14 days. The longer duration prevented mid-test gaps and helped Google see continuous interaction across multiple days. Introducing a detailed daily checklist so testers covered the right flows Instead of letting everyone tap around freely, we provided a short list of the core actions Google needed to observe. A clear checklist guided testers through specific actions each day, producing consistent evidence for the features Google needed to verify. Enabling device-level tracking and full system logs Earlier data was too thin to validate behaviour, so we enabled device-level tracking and full system logs to review and later align with Google’s dashboard. This fixed the “invisible activity” issue from the earlier rounds and gave the review team something concrete to validate. Having testers record short videos of their actions Some flows involving permissions weren’t reflected clearly in logs, so testers recorded short clips when performing these tasks. These videos provided direct confirmation of how camera, file access and upload flows worked. Adding small features and content to encourage natural engagement The previous builds didn’t encourage repeated use, so we added minor features and content updates to create more realistic daily engagement. These adjustments helped testers interact with the app in a way that resembled real usage, not surface-level taps. Release Access Form: A Commonly Overlooked Step in the Approval Process After Closed Testing is completed, Google requires developers to submit the Release Access Form before the app can move forward in the publishing process. It sounds simple, but the way this form is written has a direct influence on the final review. Taking the form seriously, paired with the testing evidence we had already prepared, helped our final submission go through smoothly on the fourth attempt. Here’s what became clear when we worked through it: The answers must reflect the real behaviour of the app — especially the sections on intended use and where user data comes from. Any mismatch creates doubt. Google expects clear descriptions of features, user actions and the scope of testing. Vague explanations often slow the process down. Looking at how other developer communities handled this form helped us understand the phrasing that aligns with Google’s criteria. Final Thoughts Closed Testing is ultimately about proving that your app behaves like a real, ready-to-ship product. Most teams lose time because they only react after a rejection; we prevent 80% of those rejections long before you ship. If you want fewer surprises and a tighter, lower-risk review cycle, talk to us and Haposoft will run the entire review cycle for you.