CVE-2025-67779

7.5 HIGH

Denial of Service Deserialization

📋 TL;DR

This vulnerability allows attackers to send specially crafted HTTP requests to React Server Components Server Function endpoints, causing unsafe deserialization that triggers an infinite loop. This leads to denial of service by hanging the server process and preventing future requests. Applications using React Server Components versions 19.0.2, 19.1.3, or 19.2.2 are affected.

💻 Affected Systems

Products:

React Server Components

Versions: 19.0.2, 19.1.3, 19.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects React Server Components with Server Function endpoints exposed.

📦 What is this software?

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to infinite loop consuming all CPU resources, requiring manual process termination and restart.

🟠

Likely Case

Partial or complete denial of service affecting specific endpoints or the entire server application.

🟢

If Mitigated

Minimal impact with proper request validation and monitoring in place.

🌐 Internet-Facing: HIGH - Exploitable via HTTP requests without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal users or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.0.3, 19.1.4, 19.2.3 or later

Vendor Advisory: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Restart Required: Yes

Instructions:

1. Update React Server Components to patched version. 2. Update package.json dependencies. 3. Run npm update or yarn update. 4. Restart server application.

🔧 Temporary Workarounds

Rate Limiting

all

Implement request rate limiting on Server Function endpoints

Input Validation

all

Add strict input validation for all Server Function endpoint payloads

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block suspicious payload patterns
Monitor server processes for abnormal CPU usage and implement automatic restart thresholds

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules for React Server Components version 19.0.2, 19.1.3, or 19.2.2

Check Version:

npm list react-server-components or check package.json

Verify Fix Applied:

Verify React Server Components version is 19.0.3, 19.1.4, 19.2.3 or later

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Server process hanging
Request timeouts on Server Function endpoints

Network Indicators:

Repeated HTTP requests to Server Function endpoints with unusual payloads

SIEM Query:

source="application.logs" AND ("high cpu" OR "process hang" OR "request timeout") AND endpoint="*server-function*"

📊 Metadata

CVE ID: CVE-2025-67779

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-502

EPSS Score: 0.08% exploit probability (24.4th percentile)

Published: December 12, 2025

Last Updated: December 12, 2025

🔗 References

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-67779 Vendor Advisory