cbcvebase.
CVE-2025-55184
published 2025-12-11

CVE-2025-55184: A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.59%
99.2th percentile
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Affected

63 ranges· showing 25
VendorProductVersion rangeFixed in
facebookreact
facebookreact
facebookreact
facebookreact>= 19.0.0 < 19.0.219.0.2
facebookreact>= 19.1.0 < 19.1.319.1.3
facebookreact>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-parcel>= 19.0.0 < 19.0.219.0.2
metareact-server-dom-parcel>= 19.0.2 < 19.0.319.0.3
metareact-server-dom-parcel19.0.2 – 19.0.2
metareact-server-dom-parcel>= 19.1.0 < 19.1.319.1.3
metareact-server-dom-parcel>= 19.1.3 < 19.1.419.1.4
metareact-server-dom-parcel19.1.3 – 19.1.3
metareact-server-dom-parcel>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-parcel>= 19.2.2 < 19.2.319.2.3
metareact-server-dom-parcel19.2.2 – 19.2.2
metareact-server-dom-turbopack>= 19.0.0 < 19.0.219.0.2
metareact-server-dom-turbopack>= 19.0.2 < 19.0.319.0.3
metareact-server-dom-turbopack19.0.2 – 19.0.2
metareact-server-dom-turbopack>= 19.1.0 < 19.1.319.1.3
metareact-server-dom-turbopack>= 19.1.3 < 19.1.419.1.4
metareact-server-dom-turbopack19.1.3 – 19.1.3
metareact-server-dom-turbopack>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-turbopack>= 19.2.2 < 19.2.319.2.3
metareact-server-dom-turbopack19.2.2 – 19.2.2
metareact-server-dom-webpack>= 19.0.0 < 19.0.219.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-55184 is triggered by sending a crafted HTTP request to a Server Function endpoint; the vulnerable code unsafely deserializes payloads from HTTP requests, causing an infinite loop that hangs the server process
  • CVE-2025-55184 requires no authentication; any pre-authentication HTTP request to a Server Function endpoint with a malicious payload can trigger the DoS condition
  • Monitor for server processes hanging or becoming unresponsive after receiving HTTP POST requests to Server Function endpoints, which is the observable impact of successful exploitation
  • CVE-2025-67779 is an incomplete fix for CVE-2025-55184; versions 19.0.2, 19.1.3, and 19.2.2 remain vulnerable — only 19.2.3 fully remediates the DoS
  • To prevent DoS impacts due to CVE-2025-55184 and CVE-2025-67779, patch to 19.2.3; the 19.2.2 patch was found to be insufficient
  • ·Affected packages are react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack at versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1; the next package and @vitejs/plugin-rsc are also listed as affected
  • ·CVE-2025-55184 does NOT allow remote code execution; it is limited to a denial-of-service condition (infinite loop / server hang)
  • ·The patch for CVE-2025-55184 in versions 19.0.2, 19.1.3, and 19.2.2 was incomplete; a bypass was assigned CVE-2025-67779, requiring upgrade to 19.2.3 for full remediation

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.