CVE-2025-55184

⚠️ high

Summary

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

CVSS Score

7.5

High

EPSS Score

20.7

Exploit Probability

Published Date

2025-12-11

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 323,894 vulnerabilities in our database.

#100,292

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Dec 15, 2025

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Last Modified 2025-12-15

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE IDs (Weakness Types)

CWE-502

📦 Affected Products 13

Vendor	Product	Status	Affected Versions
facebook	react	Affected	≥ 19.0.0 < 19.0.2
facebook	react	Affected	≥ 19.1.0 < 19.1.3
facebook	react	Affected	≥ 19.2.0 < 19.2.2
vercel	next.js	Affected	≥ 13.3.0 < 14.2.35
vercel	next.js	Affected	≥ 15.0.0 < 15.0.7
vercel	next.js	Affected	≥ 15.1.0 < 15.1.11
vercel	next.js	Affected	≥ 15.2.0 < 15.2.8
vercel	next.js	Affected	≥ 15.3.0 < 15.3.8
vercel	next.js	Affected	≥ 15.4.0 < 15.4.10
vercel	next.js	Affected	≥ 15.5.0 < 15.5.9
vercel	next.js	Affected	≥ 16.0.0 < 16.0.10
vercel	next.js	Affected	v15.6.0
vercel	next.js	Affected	v16.1.0

💣 Public Exploits 1 PRO

Loading exploit information...

🔗 References 3

https://react.dev/blog/2025/12/11/denial-of-service-...

Vendor Advisory

https://www.facebook.com/security/advisories/cve-202...

Vendor Advisory

https://github.com/KingHacker353/CVE-2025-55184

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-44572	ℹ️ low	3.7	0.0	Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an exte...	2026-05-13
CVE-2026-44573	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applica...	2026-05-13
CVE-2026-44574	⚠️ high	8.1	0.0	Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applica...	2026-05-13
CVE-2026-44575	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Rou...	2026-05-13
CVE-2026-44576	🔶 medium	5.4	0.0	Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applica...	2026-05-13
CVE-2026-44578	⚠️ high	8.6	4.0	Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-h...	2026-05-13

These CVEs affect the same products