CVE-2025-55184
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2025-12-15

Assigner: Facebook, Inc.

Description
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-55184
Affected Vendors & Products
Showing 92 associated CPEs
Vendor Product Version / Range
facebook react From 19.0.0 (inc) to 19.0.2 (exc)
facebook react From 19.1.0 (inc) to 19.1.3 (exc)
facebook react From 19.2.0 (inc) to 19.2.2 (exc)
vercel next.js From 13.3.0 (inc) to 14.2.35 (exc)
vercel next.js From 15.0.0 (inc) to 15.0.7 (exc)
vercel next.js From 15.1.0 (inc) to 15.1.11 (exc)
vercel next.js From 15.2.0 (inc) to 15.2.8 (exc)
vercel next.js From 15.3.0 (inc) to 15.3.8 (exc)
vercel next.js From 15.4.0 (inc) to 15.4.10 (exc)
vercel next.js From 15.5.0 (inc) to 15.5.9 (exc)
vercel next.js From 16.0.0 (inc) to 16.0.10 (exc)
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a pre-authentication denial of service issue in certain versions of React Server Components. It occurs because the software unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can trigger an infinite loop that hangs the server process and stops it from handling further requests.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability must update again, as earlier patches remain vulnerable. The fix prevents unsafe deserialization that causes infinite loops and denial of service. Additionally, coordinate with hosting providers for any temporary mitigations if applicable. [1]

Detection Guidance

Detection involves monitoring for unusual server behavior such as infinite loops or server hangs caused by crafted HTTP requests to Server Function endpoints. Specific commands are not provided in the resources, but network monitoring tools could be used to detect repeated or malformed HTTP requests targeting these endpoints. Additionally, checking server logs for repeated deserialization errors or high CPU usage may indicate exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability must update again, as earlier patches remain vulnerable. Temporary mitigations were coordinated with hosting providers, but the React team strongly recommends immediate package upgrades to prevent exploitation. [1]

Impact Analysis

The impact of this vulnerability is that an attacker can cause the server to hang indefinitely by sending specially crafted requests, leading to a denial of service where legitimate users cannot access the server or its services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart