CVE-2025-55184

Published Dec 11, 2025

Last updated a day ago

CVSS high 7.5

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55184 is a denial-of-service vulnerability affecting React Server Components (RSC) in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1. It exists because the affected code unsafely deserializes payloads from HTTP requests to Server Function endpoints. This can lead to an infinite loop that hangs the server process, preventing it from serving future HTTP requests. The vulnerability can be triggered by sending a specially crafted HTTP request to any App Router endpoint. Exploitation does not require authentication and can be achieved with basic HTTP request crafting skills. An initial fix for this vulnerability was incomplete, and a complete fix has been issued under CVE-2025-67779.

Description
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source
cve-assign@fb.com
NVD status
Analyzed
Products
react, next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-502

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

37

  1. 🚨 Urgent WAF update! 🚨 We've released emergency rules to protect against server-function exposure (CVE-2025-55183) & resource exhaustion (CVE-2025-55184). Enhanced security for your apps! 🛡️ https://t.co/ikyIQ9QaLX

    @mveracf

    13 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Another one React Server Components Denial of Service - High Severity: CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5) Source Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3) https://t.co/GbSdu7ZDYe #REACT #Exploit #Security https://t.co/30xwa9eCkz

    @ZoltanSEC

    13 Dec 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) https://t.co/b1s5C96F3p

    @AryaAmour08

    13 Dec 2025

    50 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 New Finding Alert 🚨 Excited to report a High Severity (8.2) vulnerability on @yeswehack! Found a DoS via Unsafe Deserialization in React Server Components. 🆔 CVE-2025-55184 Consistency is key in this game. 💻🔒 #BugBounty #AppSec #ReactJS #YesWeHack #Infosec #CVE h

    @BgmiKaam41919

    13 Dec 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. React team warns of 3 new RSCs vulns: CVE-2025-55184 & CVE-2025-67779 cause infinite loops to crash servers. https://t.co/1vmVXWEOww https://t.co/kDBnmAd4ev

    @MateusGalasso

    13 Dec 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. React2Shell Post-Mortem (CVE-2025-55184 / 67779 / 55183) Three High-severity vulns dropped → DoS + RCE + source code leaks possible in just hours. Our outcome? Zero production impact despite CVSS 7.5 How we survived: - Dependabot alerts - Patches deployed quickly and full htt

    @GuatemalanJason

    12 Dec 2025

    149 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. waiting for the inevitable dup. tag on a high bug lol #CVE-2025-55184 https://t.co/BS9Iw23M5G

    @artuc05

    12 Dec 2025

    141 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  8. بعد أسبوع بس من طلبهم الأول بتحديث المكتبات الضعيفة، فريق React رجع يطلب نفس الشيء مرة ثانية. هالمرة الباحثين اكتشفوا ثغرتين ممكن يكونوا مزعجات. CVE-2025-55184 و CV

    @altmemy199

    12 Dec 2025

    1297 Impressions

    0 Retweets

    14 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-55184

    @Zephyrdev_

    12 Dec 2025

    85 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. discussing vulnerabilities like CVE-2025-55184 type shi https://t.co/mfZ6jfehpp

    @owenmilgram

    12 Dec 2025

    106 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. discussing vulnerabilities like CVE-2025-55184 type shi https://t.co/sv8A5h3aVF

    @owenmilgram

    12 Dec 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-67779 It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. Reac… https://t.co/vWb89mOv8Q

    @CVEnew

    12 Dec 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2025-55184 nuclei template https://t.co/ressj9IrQN #cve #nuclei #REACT https://t.co/xlS95q48zy

    @sirifu4k1

    12 Dec 2025

    1071 Impressions

    5 Retweets

    20 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 CVE-2025-55184 - high 🚨 React Server Components - Denial of Service > React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-ser... 👾 https://t.co/Jxv11Wy1pN @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    12 Dec 2025

    2697 Impressions

    9 Retweets

    41 Likes

    21 Bookmarks

    0 Replies

    0 Quotes

  15. ‼️ Next.js Security Update: December 11, 2025 Two new React Server Components bugs affect Next.js App Router apps: a DoS infinite-loop hang (CVE-2025-55183, CVE-2025-55184) and Server Function source-code exposure (CVE-2025-55183) #code https://t.co/iOUVVrGSRL

    @onix_react

    12 Dec 2025

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. NEW React/Next.JS VULNERABILITIES JUST DROPPED 🔪 CVE-2025-55183 and CVE-2025-55184 React dropping new bangers every week 🗿 https://t.co/P4J0dW3zYc

    @visharadup

    12 Dec 2025

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 【続報・緊急】React Server Componentsに追加の脆弱性(CVE-2025-55184 / CVE-2025-55183)。前回パッチも不完全、再度アップデート必須【Next.js / Bun対応】 https://t.co/2wrFz1La0j #Qiitaアドカレ #Qiita @PythonHaruより

    @yousukezan

    12 Dec 2025

    10376 Impressions

    35 Retweets

    124 Likes

    68 Bookmarks

    0 Replies

    2 Quotes

  18. 🚨 Two new React Server Components (Next.js App Router) vulnerabilities disclosed: • CVE-2025-55184 (High) – DoS via malicious RSC payload → server hangs & CPU spike • CVE-2025-55183 (Medium) – Leak compiled Server Actions source code (business logic exposure)

    @cletuskingdom

    12 Dec 2025

    179 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  19. 🚨 URGENT: The React2Shell fix wasn't enough! New critical React Server Components vulnerabilities just dropped (CVE-2025-55184 DoS + CVE-2025-55183 source code leak) after researchers dug deeper into the original patches. These are separate from last week's RCE (still https:

    @ronibhakta1

    12 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🚨React Server Component has discovered more CVEs : - CVE-2025-55184 (DoS) - CVE-2025-67779 (DoS) - CVE-2025-55183 (Source code disclosure) Versions affected : 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: - react-server-dom-webpack -

    @ValkyriSecurity

    12 Dec 2025

    363 Impressions

    1 Retweet

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 記事を投稿しました! 【続報・緊急】React Server Componentsに追加の脆弱性(CVE-2025-55184 / CVE-2025-... [Security] on #Qiita https://t.co/U62WCFnDO3

    @PythonHaru

    12 Dec 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. [New] React just found more bugs hiding in its last big patch. 🧩 CVE-2025-55184 & CVE-2025-67779 — can crash servers with one request. 🧩 CVE-2025-55183 — can leak source code from React Server Components. 👀 All discovered while testing the earlier CVE-2025-5518

    @TheHackersNews

    12 Dec 2025

    10589 Impressions

    31 Retweets

    112 Likes

    24 Bookmarks

    2 Replies

    2 Quotes

  23. another day, another rsc vulnerability. → first, we’ve got cve-2025-55184 - a denial-of-service issue. ⋅ the core problem is simple: the rsc deserializer had no cycle detection. if someone sends a payload with circular refs or just absurdly deep nesting, the parser falls

    @sanyampunia

    12 Dec 2025

    524 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  24. CVE-2025-55184 PoC https://t.co/l9kioPMATF https://t.co/XZjseKOjIY

    @penligent

    12 Dec 2025

    227 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. i keep getting email every day from talha tariq for "CVE-2025-55184 and CVE-2025-55183 in the React Server Components (RSC) implementation, affecting frameworks such as Next.js. Update application with latest patch." what vibe coding does to you

    @archiexzzz

    12 Dec 2025

    22161 Impressions

    8 Retweets

    381 Likes

    31 Bookmarks

    18 Replies

    4 Quotes

  26. CVE-2025-55184 in React Server Components, reported by our security researcher RyotaK @ryotkak, has been disclosed. Even if you have applied the fix for React2Shell (CVE-2025-55182), you are still affected by this vulnerability, so please update again. While this does not lead

    @flatt_sec_en

    12 Dec 2025

    664 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  27. 弊社セキュリティリサーチャーRyotaK @ryotkak がReact Server Componentsに報告した脆弱性(CVE-2025-55184)が公開されました。

    @flatt_security

    12 Dec 2025

    8954 Impressions

    24 Retweets

    96 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  28. 🚨 React Server Components [—] Dec 12, 2025 Comprehensive security advisory focusing on multiple recent critical vulnerabilities (including CVE-2025-55182, CVE-2025-55184, CVE-2025-55183, CVE-2025-67779) affecting React Server Components and related frameworks. Detailed... ht

    @transilienceai

    12 Dec 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 实测React18系列版本也受到CVE-2025-55184影响了,怎么官方也没公布。。

    @coderleilei

    12 Dec 2025

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. ⚠️ 【緊急安全警示】Next.js 發現高風險漏洞,請立即更新! 各位開發者朋友留意!Vercel 安全團隊剛剛發布了關於 Next.js App Router (RSC) 的兩個新安全漏洞通知。雖然目前暫無被攻擊的證據,但建議大家儘快採取

    @Satoshi_wkkwu

    12 Dec 2025

    137 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Again? In less than a week we have TWO more vulnerabilities targeting React. CVE-2025-55183 - information leak vulnerability CVE-2025-55184 - A pre-authentication denial of service vulnerability Upgrade your apps again.... https://t.co/35GNIUuXN9

    @itsdevdaniel

    12 Dec 2025

    482 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  32. Woke up to more React Server Component (RSC) security news! 🚨 It's a rough morning for developers. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) PATCH IMMEDIATELY😮‍💨 https://t.co/MmBp

    @AryaAmour08

    12 Dec 2025

    250 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. New React RSC vulnerabilities just dropped! CVE-2025-55184 and CVE-2025-55183, detailed in the latest Next.js & React security bulletins. Initial patches in React 19.0.1/19.1.2/19.2.1 turned out incomplete, leading to a new DoS vuln CVE-2025-67779 https://t.co/xD9Th3fRHk

    @sunggatalimbet

    12 Dec 2025

    370 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  34. ¡OJO, React Devs! ⚠️ Hay otra vulnerabilidad **crítica** (CVE-2025-55184) en React. Hackers ya la están explotando para RCE y DoS. Si usas React o Next.js, ¡ACTUALIZA AHORA! Cloudflare tuvo un outage por su parche de emergencia. ¡Tu app está en riesgo! #React #Ciberseg

    @GagoDevM

    11 Dec 2025

    130 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  35. 🚨 React has disclosed two new, additional vulnerabilities to the critical RCE vuln of last week - CVE-2025-55183 and CVE-2025-55184. Patches are available and urged to be applied immediately. Track live attacks against React honeypots 👉https://t.co/GXFaqggV8a https://t.co

    @DefusedCyber

    11 Dec 2025

    5241 Impressions

    19 Retweets

    77 Likes

    20 Bookmarks

    0 Replies

    1 Quote

  36. Two new React Server Component vulnerabilities were just disclosed: 🔹 CVE-2025-55183: Info disclosure via coerced server function args 🔹 CVE-2025-55184: DoS via infinite promise recursion We've deployed Adaptive Security Engine Rapid Rules. Learn more: https://t.co/FhZApc5

    @akamai_research

    11 Dec 2025

    5628 Impressions

    2 Retweets

    8 Likes

    0 Bookmarks

    0 Replies

    2 Quotes

  37. Cloudflare has released new emergency WAF rules addressing the following CVE to enhance customer protection.  * React - Leaking Server Functions (CVE-2025-55183)  * React - DoS (CVE-2025-55184) https://t.co/SdCU2jeMiQ

    @Cloudforce_One

    11 Dec 2025

    1594 Impressions

    5 Retweets

    21 Likes

    3 Bookmarks

    2 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.