CVE-2025-55184

Published Dec 11, 2025

Last updated a month ago

CVSS high 7.5
React Server Components

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55184 is a denial-of-service vulnerability affecting React Server Components (RSC) in versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1. It exists because the affected code unsafely deserializes payloads from HTTP requests to Server Function endpoints. This can lead to an infinite loop that hangs the server process, preventing it from serving future HTTP requests. The vulnerability can be triggered by sending a specially crafted HTTP request to any App Router endpoint. Exploitation does not require authentication and can be achieved with basic HTTP request crafting skills. An initial fix for this vulnerability was incomplete, and a complete fix has been issued under CVE-2025-67779.

Description
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source
cve-assign@fb.com
NVD status
Modified
Products
react, next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-502

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-55184: React & Next.js DoS Vulnerability PoC: https://t.co/cUvVXvcRIZ https://t.co/jC2QKQjuGB

    @DarkWebInformer

    5 Jan 2026

    4632 Impressions

    1 Retweet

    17 Likes

    9 Bookmarks

    2 Replies

    0 Quotes

  2. 🚨 Weaponized & Active The React vulnerabilities we warned about? They are now fueling a large-scale espionage campaign. CVE-2025-55184 (High) CVE-2025-55183 (Medium) Don't let your assets become part of their intel. 3.1M+ Targets identified by ZoomEye. 👇 Hunt for expos

    @zoomeye_team

    24 Dec 2025

    4324 Impressions

    17 Retweets

    61 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Next.js [—] Dec 22, 2025 Comprehensive Security Advisory on Recent Next.js Vulnerabilities (CVE-2025-55184, CVE-2025-55183, CVE-2025-67779) and Mitigation Strategies Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/c6A6vTB3Ak

    @transilienceai

    22 Dec 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨React Security Alert 🚨 Two critical CVEs impacting React Server Components: 🔴 CVE-2025-55184 🟠 CVE-2025-55183 If you run React / Next.js in prod, this matters. Full analysis 👇 🔗 https://t.co/M3qqD5QffB #React #NextJS #CyberSecurity #DevSecOps #WebSecurity #I

    @HowTo1833326

    19 Dec 2025

    12 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 React Security Alert 🚨 Two critical CVEs Impacting React Server Components: 🔴 CVE-2025-55184 🟠 CVE-2025-55183 If you run React / Next.js in prod, this matters. Full analysis 👇 🔗 https://t.co/crVnY9xaja #React #NextJS #CyberSecurity #DevSecOps #WebSecurit

    @Phill_CTH

    19 Dec 2025

    79 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 React Security Alert 🚨 Two critical CVEs impacting React Server Components: 🔴 CVE-2025-55184 🟠 CVE-2025-55183 If you run React / Next.js in prod, this matters. Full analysis 👇 🔗 https://t.co/crVnY9xaja #React #NextJS #CyberSecurity #DevSecOps #WebSecurity #

    @Phill_CTH

    19 Dec 2025

    74 Impressions

    0 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 React Security Alert 🚨 Two Critical CVEs impacting React Server Components: 🔴 CVE-2025-55184 🟠 CVE-2025-55183 If you run React / Next.js in prod, this matters. Full analysis 👇 🔗 https://t.co/crVnY9xaja #React #NextJS #CyberSecurity #DevSecOps #WebSecurity #

    @Phill_CTH

    19 Dec 2025

    74 Impressions

    1 Retweet

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨React Security Alert 🚨 Two critical CVEs impacting React Server Components: 🔴 CVE-2025-55184 🟠 CVE-2025-55183 If you run React / Next.js in prod, this matters. Full analysis 👇 🔗 https://t.co/crVnY9xaja #React #NextJS #CyberSecurity #DevSecOps #WebSecurity #I

    @Phill_CTH

    19 Dec 2025

    77 Impressions

    2 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  9. Reactで新たな脆弱性 (CVE-2025-55184 / CVE-2025-67779/CVE-2025-55183) 「React2Shell(CVE-2025-55182)」とは別個の脆弱性 であり、改めてパッチ適用が必要 です。 https://t.co/c28h7dLKXa #セキュリティ対策Lab #セキュリティ #Security #

    @securityLab_jp

    16 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Update on React2Shell guidance. After fixes for CVE-2025-55182, additional vulnerabilities were identified in React Server Components (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779). These are not RCE issues, but the original patches do not fully address them and a follow-on

    @Averlon_ai

    15 Dec 2025

    83 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. #Threat_Research 1⃣. DoS and Source Code Exposure in React Server Components - https://t.co/o3SApLEhEv // After last week's critical patch, three more, but less critical, vulnerabilities were identified in React Server Components (CVE-2025-55184, CVE-2025-67779, CVE-2025-55183

    @ksg93rd

    15 Dec 2025

    223 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  12. 1. 리엑트 개발 외주를 맡음 2. Denial of Service 취약점이 발견됨 (CVE-2025-55184, CVE-2025-67779) 3. 결과물에 취약점을 사용하고 연락을 기다림 4. Profit https://t.co/CUg6H5qRND

    @H2Owater425

    15 Dec 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Ugh — spent half my day wrestling with yet another set of dependency CVEs in React Server Components. When will this stop? Quick reality check: ❗Multiple repos flagged ❗Vulnerabilities: CVE-2025-55183 / CVE-2025-55184 (React Server Components / related) https://t.co/GvJH8Tb

    @becodewala

    15 Dec 2025

    151 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. 🍎Appleがゼロデイ2件を修正、「極めて巧妙な攻撃」で悪用された恐れ:CVE-2025-43529、CVE-2025-14174 🚨Reactの新たな脆弱性によりDoSやソースコードの漏洩が可能になる恐れ(CVE-2025-55184、CVE-2025-67779、CVE-2025-55183)

    @MachinaRecord

    15 Dec 2025

    333 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 修复一个,还免费送一个 ??? CVE-2025-55184, CVE-2025-55183 https://t.co/Cwg5u2YLTr

    @Immerse_code

    14 Dec 2025

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 New React Server Components vulns dropped last week (Dec 11): Researchers found DoS (CVE-2025-55184 & CVE-2025-67779) + source code exposure (CVE-2025-55183) while poking at React2Shell patches. Separate from the RCE—those fixes still hold.

    @anilvermaspeaks

    14 Dec 2025

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. 🚨 Urgent WAF update! 🚨 We've released emergency rules to protect against server-function exposure (CVE-2025-55183) & resource exhaustion (CVE-2025-55184). Enhanced security for your apps! 🛡️ https://t.co/ikyIQ9QaLX

    @mveracf

    13 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Urgent WAF update! 🚨 New rules now protect against server-function exposure (CVE-2025-55183) & React Function DoS attacks (CVE-2025-55184). Enhanced security & app availability! 🛡️ https://t.co/o78blYpjnl

    @CFchangelog

    13 Dec 2025

    1080 Impressions

    6 Retweets

    29 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  19. Another one React Server Components Denial of Service - High Severity: CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5) Source Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3) https://t.co/GbSdu7ZDYe #REACT #Exploit #Security https://t.co/30xwa9eCkz

    @ZoltanSEC

    13 Dec 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) https://t.co/b1s5C96F3p

    @AryaAmour08

    13 Dec 2025

    75 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 New Finding Alert 🚨 Excited to report a High Severity (8.2) vulnerability on @yeswehack! Found a DoS via Unsafe Deserialization in React Server Components. 🆔 CVE-2025-55184 Consistency is key in this game. 💻🔒 #BugBounty #AppSec #ReactJS #YesWeHack #Infosec #CVE h

    @BgmiKaam41919

    13 Dec 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. React team warns of 3 new RSCs vulns: CVE-2025-55184 & CVE-2025-67779 cause infinite loops to crash servers. https://t.co/1vmVXWEOww https://t.co/kDBnmAd4ev

    @MateusGalasso

    13 Dec 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. React2Shell Post-Mortem (CVE-2025-55184 / 67779 / 55183) Three High-severity vulns dropped → DoS + RCE + source code leaks possible in just hours. Our outcome? Zero production impact despite CVSS 7.5 How we survived: - Dependabot alerts - Patches deployed quickly and full htt

    @GuatemalanJason

    12 Dec 2025

    149 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. waiting for the inevitable dup. tag on a high bug lol #CVE-2025-55184 https://t.co/BS9Iw23M5G

    @artuc05

    12 Dec 2025

    141 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  25. بعد أسبوع بس من طلبهم الأول بتحديث المكتبات الضعيفة، فريق React رجع يطلب نفس الشيء مرة ثانية. هالمرة الباحثين اكتشفوا ثغرتين ممكن يكونوا مزعجات. CVE-2025-55184 و CV

    @altmemy199

    12 Dec 2025

    1297 Impressions

    0 Retweets

    14 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  26. CVE-2025-55184

    @Zephyrdev_

    12 Dec 2025

    85 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. discussing vulnerabilities like CVE-2025-55184 type shi https://t.co/mfZ6jfehpp

    @owenmilgram

    12 Dec 2025

    106 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. discussing vulnerabilities like CVE-2025-55184 type shi https://t.co/sv8A5h3aVF

    @owenmilgram

    12 Dec 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CVE-2025-67779 It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. Reac… https://t.co/vWb89mOv8Q

    @CVEnew

    12 Dec 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. CVE-2025-55184 nuclei template https://t.co/ressj9IrQN #cve #nuclei #REACT https://t.co/xlS95q48zy

    @sirifu4k1

    12 Dec 2025

    1071 Impressions

    5 Retweets

    20 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  31. 🚨 CVE-2025-55184 - high 🚨 React Server Components - Denial of Service > React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-ser... 👾 https://t.co/Jxv11Wy1pN @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    12 Dec 2025

    2697 Impressions

    9 Retweets

    41 Likes

    21 Bookmarks

    0 Replies

    0 Quotes

  32. ‼️ Next.js Security Update: December 11, 2025 Two new React Server Components bugs affect Next.js App Router apps: a DoS infinite-loop hang (CVE-2025-55183, CVE-2025-55184) and Server Function source-code exposure (CVE-2025-55183) #code https://t.co/iOUVVrGSRL

    @onix_react

    12 Dec 2025

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  33. NEW React/Next.JS VULNERABILITIES JUST DROPPED 🔪 CVE-2025-55183 and CVE-2025-55184 React dropping new bangers every week 🗿 https://t.co/P4J0dW3zYc

    @visharadup

    12 Dec 2025

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 【続報・緊急】React Server Componentsに追加の脆弱性(CVE-2025-55184 / CVE-2025-55183)。前回パッチも不完全、再度アップデート必須【Next.js / Bun対応】 https://t.co/2wrFz1La0j #Qiitaアドカレ #Qiita @PythonHaruより

    @yousukezan

    12 Dec 2025

    10376 Impressions

    35 Retweets

    124 Likes

    68 Bookmarks

    0 Replies

    2 Quotes

  35. 🚨 Two new React Server Components (Next.js App Router) vulnerabilities disclosed: • CVE-2025-55184 (High) – DoS via malicious RSC payload → server hangs & CPU spike • CVE-2025-55183 (Medium) – Leak compiled Server Actions source code (business logic exposure)

    @cletuskingdom

    12 Dec 2025

    179 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. 🚨 URGENT: The React2Shell fix wasn't enough! New critical React Server Components vulnerabilities just dropped (CVE-2025-55184 DoS + CVE-2025-55183 source code leak) after researchers dug deeper into the original patches. These are separate from last week's RCE (still https:

    @ronibhakta1

    12 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 🚨React Server Component has discovered more CVEs : - CVE-2025-55184 (DoS) - CVE-2025-67779 (DoS) - CVE-2025-55183 (Source code disclosure) Versions affected : 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: - react-server-dom-webpack -

    @ValkyriSecurity

    12 Dec 2025

    363 Impressions

    1 Retweet

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 記事を投稿しました! 【続報・緊急】React Server Componentsに追加の脆弱性(CVE-2025-55184 / CVE-2025-... [Security] on #Qiita https://t.co/U62WCFnDO3

    @PythonHaru

    12 Dec 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. [New] React just found more bugs hiding in its last big patch. 🧩 CVE-2025-55184 & CVE-2025-67779 — can crash servers with one request. 🧩 CVE-2025-55183 — can leak source code from React Server Components. 👀 All discovered while testing the earlier CVE-2025-5518

    @TheHackersNews

    12 Dec 2025

    10589 Impressions

    31 Retweets

    112 Likes

    24 Bookmarks

    2 Replies

    2 Quotes

  40. another day, another rsc vulnerability. → first, we’ve got cve-2025-55184 - a denial-of-service issue. ⋅ the core problem is simple: the rsc deserializer had no cycle detection. if someone sends a payload with circular refs or just absurdly deep nesting, the parser falls

    @sanyampunia

    12 Dec 2025

    524 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  41. CVE-2025-55184 PoC https://t.co/l9kioPMATF https://t.co/XZjseKOjIY

    @penligent

    12 Dec 2025

    227 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  42. i keep getting email every day from talha tariq for "CVE-2025-55184 and CVE-2025-55183 in the React Server Components (RSC) implementation, affecting frameworks such as Next.js. Update application with latest patch." what vibe coding does to you

    @archiexzzz

    12 Dec 2025

    22161 Impressions

    8 Retweets

    381 Likes

    31 Bookmarks

    18 Replies

    4 Quotes

  43. CVE-2025-55184 in React Server Components, reported by our security researcher RyotaK @ryotkak, has been disclosed. Even if you have applied the fix for React2Shell (CVE-2025-55182), you are still affected by this vulnerability, so please update again. While this does not lead

    @flatt_sec_en

    12 Dec 2025

    664 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  44. 弊社セキュリティリサーチャーRyotaK @ryotkak がReact Server Componentsに報告した脆弱性(CVE-2025-55184)が公開されました。

    @flatt_security

    12 Dec 2025

    8954 Impressions

    24 Retweets

    96 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  45. 🚨 React Server Components [—] Dec 12, 2025 Comprehensive security advisory focusing on multiple recent critical vulnerabilities (including CVE-2025-55182, CVE-2025-55184, CVE-2025-55183, CVE-2025-67779) affecting React Server Components and related frameworks. Detailed... ht

    @transilienceai

    12 Dec 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 实测React18系列版本也受到CVE-2025-55184影响了,怎么官方也没公布。。

    @coderleilei

    12 Dec 2025

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. ⚠️ 【緊急安全警示】Next.js 發現高風險漏洞,請立即更新! 各位開發者朋友留意!Vercel 安全團隊剛剛發布了關於 Next.js App Router (RSC) 的兩個新安全漏洞通知。雖然目前暫無被攻擊的證據,但建議大家儘快採取

    @Satoshi_wkkwu

    12 Dec 2025

    137 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. Again? In less than a week we have TWO more vulnerabilities targeting React. CVE-2025-55183 - information leak vulnerability CVE-2025-55184 - A pre-authentication denial of service vulnerability Upgrade your apps again.... https://t.co/35GNIUuXN9

    @itsdevdaniel

    12 Dec 2025

    482 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  49. Woke up to more React Server Component (RSC) security news! 🚨 It's a rough morning for developers. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) PATCH IMMEDIATELY😮‍💨 https://t.co/MmBp

    @AryaAmour08

    12 Dec 2025

    250 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. New React RSC vulnerabilities just dropped! CVE-2025-55184 and CVE-2025-55183, detailed in the latest Next.js & React security bulletins. Initial patches in React 19.0.1/19.1.2/19.2.1 turned out incomplete, leading to a new DoS vuln CVE-2025-67779 https://t.co/xD9Th3fRHk

    @sunggatalimbet

    12 Dec 2025

    370 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.