CVE-2025-67779

⚠️ high

Summary

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

CVSS Score

7.5

High

EPSS Score

0.1

Exploit Probability

Published Date

2025-12-12

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.4% of all 317,883 vulnerabilities in our database.

#97,299

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Dec 12, 2025

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

SSVC data provided by CISA

Last Modified 2025-12-12

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE IDs (Weakness Types)

CWE-502 CWE-400

📦 Affected Products 13

Vendor	Product	Status	Affected Versions
facebook	react	Affected	v19.0.2
facebook	react	Affected	v19.1.3
facebook	react	Affected	v19.2.2
vercel	next.js	Affected	≥ 13.3.0 < 14.2.35
vercel	next.js	Affected	≥ 15.0.0 < 15.0.7
vercel	next.js	Affected	≥ 15.1.0 < 15.1.11
vercel	next.js	Affected	≥ 15.2.0 < 15.2.8
vercel	next.js	Affected	≥ 15.3.0 < 15.3.8
vercel	next.js	Affected	≥ 15.4.0 < 15.4.10
vercel	next.js	Affected	≥ 15.5.0 < 15.5.9
vercel	next.js	Affected	≥ 16.0.0 < 16.0.10
vercel	next.js	Affected	v15.6.0
vercel	next.js	Affected	v16.1.0

🔗 References 2

https://react.dev/blog/2025/12/11/denial-of-service-...

Vendor Advisory

https://www.facebook.com/security/advisories/cve-202...

Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-27977	🔶 medium	5.4	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27978	🔶 medium	4.3	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27979	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27980	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1...	2026-03-18
CVE-2026-29057	🔶 medium	6.5	0.1	Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1...	2026-03-18
CVE-2026-23864	⚠️ high	7.5	0.9	Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-ser...	2026-01-26

These CVEs affect the same products