CVE-2025-55184
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-15
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| react | From 19.0.0 (inc) to 19.0.2 (exc) | |
| react | From 19.1.0 (inc) to 19.1.3 (exc) | |
| react | From 19.2.0 (inc) to 19.2.2 (exc) | |
| vercel | next.js | From 13.3.0 (inc) to 14.2.35 (exc) |
| vercel | next.js | From 15.0.0 (inc) to 15.0.7 (exc) |
| vercel | next.js | From 15.1.0 (inc) to 15.1.11 (exc) |
| vercel | next.js | From 15.2.0 (inc) to 15.2.8 (exc) |
| vercel | next.js | From 15.3.0 (inc) to 15.3.8 (exc) |
| vercel | next.js | From 15.4.0 (inc) to 15.4.10 (exc) |
| vercel | next.js | From 15.5.0 (inc) to 15.5.9 (exc) |
| vercel | next.js | From 16.0.0 (inc) to 16.0.10 (exc) |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
| vercel | next.js | 16.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability must update again, as earlier patches remain vulnerable. The fix prevents unsafe deserialization that causes infinite loops and denial of service. Additionally, coordinate with hosting providers for any temporary mitigations if applicable. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unusual server behavior such as infinite loops or server hangs caused by crafted HTTP requests to Server Function endpoints. Specific commands are not provided in the resources, but network monitoring tools could be used to detect repeated or malformed HTTP requests targeting these endpoints. Additionally, checking server logs for repeated deserialization errors or high CPU usage may indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability must update again, as earlier patches remain vulnerable. Temporary mitigations were coordinated with hosting providers, but the React team strongly recommends immediate package upgrades to prevent exploitation. [1]
Can you explain this vulnerability to me?
This vulnerability is a pre-authentication denial of service issue in certain versions of React Server Components. It occurs because the software unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can trigger an infinite loop that hangs the server process and stops it from handling further requests.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can cause the server to hang indefinitely by sending specially crafted requests, leading to a denial of service where legitimate users cannot access the server or its services.