CVE-2025-55184

critical-risk

Published 2025-12-11

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Do I need to act?

26.2% chance of exploitation in next 30 days

EPSS score — higher than 74% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

React

Next.Js

Affected Vendors

Facebook Vercel

References (3)

Vendor Advisory https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-...

Vendor Advisory https://www.facebook.com/security/advisories/cve-2025-55184

https://github.com/KingHacker353/CVE-2025-55184

/ 100

critical-risk

Severity 26/34 · High

Exploitability 15/34 · Moderate

Exposure 29/34 · Critical