CVEFinder.io

CVE-2025-67779

⚠ī¸ high
🔍 Scan for this CVE
Summary

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

CVSS Score
7.5
High
EPSS Score
0.1
Exploit Probability
Published Date
2025-12-12
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.0% of all 323,894 vulnerabilities in our database.

#100,292
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Dec 12, 2025
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
YES
Can be exploited automatically
đŸ’Ĩ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-12-12
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-502 CWE-400

đŸ“Ļ Affected Products 13

Vendor Product Status Affected Versions
facebook react Affected
v19.0.2
facebook react Affected
v19.1.3
facebook react Affected
v19.2.2
vercel next.js Affected
≥ 13.3.0 < 14.2.35
vercel next.js Affected
≥ 15.0.0 < 15.0.7
vercel next.js Affected
≥ 15.1.0 < 15.1.11
vercel next.js Affected
≥ 15.2.0 < 15.2.8
vercel next.js Affected
≥ 15.3.0 < 15.3.8
vercel next.js Affected
≥ 15.4.0 < 15.4.10
vercel next.js Affected
≥ 15.5.0 < 15.5.9
vercel next.js Affected
≥ 16.0.0 < 16.0.10
vercel next.js Affected
v15.6.0
vercel next.js Affected
v16.1.0

🔗 References 2

https://react.dev/blog/2025/12/11/denial-of-service-...
Vendor Advisory
https://www.facebook.com/security/advisories/cve-202...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44572 ℹī¸ low 3.7 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an exte... 2026-05-13
CVE-2026-44573 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applica... 2026-05-13
CVE-2026-44574 ⚠ī¸ high 8.1 0.0 Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44575 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Rou... 2026-05-13
CVE-2026-44576 đŸ”ļ medium 5.4 0.0 Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44578 ⚠ī¸ high 8.6 4.0 Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-h... 2026-05-13
These CVEs affect the same products