High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2025-55184
HighVulnerability Description
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Known Affected Software
2 configuration(s) from 1 vendor(s)
cpe:2.3:a:vercel:next.js:15.6.0:canary59:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:16.1.0:canary16:*:*:*:node.js:*:*
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
References & Resources
-
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-componentscve-assign@fb.com Vendor Advisory
-
https://www.facebook.com/security/advisories/cve-2025-55184cve-assign@fb.com Vendor Advisory
-
https://github.com/KingHacker353/CVE-2025-55184134c704f-9b21-4f2e-91b3-4a467353bcc0
Severity Details
Weakness Type (CWE)
Deserialization of Untrusted Data
- Description
- The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- Exploit Likelihood
- Medium
- Typical Severity
- Medium
- OWASP Top 10
- A08:2021-Software/Data Integrity Failures
- Abstraction Level
- Base
Key Information
- Published Date
- December 11, 2025
