Login Sign Up

CVE-2025-55184

7.5 HIGH
Denial of Service Deserialization

📋 TL;DR

A pre-authentication denial of service vulnerability in React Server Components allows attackers to send specially crafted HTTP requests to Server Function endpoints, causing infinite loops that hang server processes. This affects React Server Components versions 19.0.0 through 19.2.1, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Any application using these vulnerable versions is susceptible to server unavailability.

💻 Affected Systems

Products:
  • react-server-dom-parcel
  • react-server-dom-turbopack
  • react-server-dom-webpack
Versions: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects React Server Components implementations using the vulnerable packages. Any application with Server Function endpoints exposed is vulnerable.

📦 What is this software?

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability with process hanging indefinitely, preventing all HTTP requests from being served, potentially requiring manual process termination and server restart.

🟠

Likely Case

Targeted denial of service attacks causing service disruption for legitimate users, with server processes becoming unresponsive until restarted.

🟢

If Mitigated

Limited impact with proper request filtering and monitoring, though vulnerable systems remain at risk of targeted attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to Server Function endpoints. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.2.2 or later

Vendor Advisory: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Restart Required: Yes

Instructions:

1. Update React Server Components to version 19.2.2 or later. 2. Update package.json dependencies to use patched versions. 3. Run npm update or yarn update. 4. Restart all affected server processes.

🔧 Temporary Workarounds

Request Filtering

all

Implement request filtering or rate limiting on Server Function endpoints to block suspicious payloads.

Process Monitoring

all

Implement monitoring to detect and restart hung server processes automatically.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all Server Function endpoints
  • Deploy Web Application Firewall (WAF) rules to block malicious payload patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json for React Server Components versions 19.0.0 through 19.2.1. Run 'npm list react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack' to see installed versions.

Check Version:

npm list react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack --depth=0

Verify Fix Applied:

Verify installed packages are at version 19.2.2 or later. Test Server Function endpoints with known safe payloads to ensure normal operation.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long processing times for Server Function requests
  • Server process hanging or becoming unresponsive
  • Multiple failed requests to Server Function endpoints

Network Indicators:

  • Repeated HTTP requests to Server Function endpoints with similar payloads
  • Unusual traffic patterns targeting specific endpoints

SIEM Query:

source="application_logs" AND (message="Server Function timeout" OR message="process hang" OR message="infinite loop")

📊 Metadata

CVE ID: CVE-2025-55184
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-502
EPSS Score: 19.24% exploit probability (95.2th percentile)
Published: December 11, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55184, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)