CVE-2025-67779

high-risk

Published 2025-12-12

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Do I need to act?

0.38% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

React

Next.Js

Affected Vendors

Facebook Vercel

References (2)

Vendor Advisory https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-...

Vendor Advisory https://www.facebook.com/security/advisories/cve-2025-67779

/ 100

high-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 29/34 · Critical