CVE-2025-67779
published 2025-12-12CVE-2025-67779: It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
18.88%
96.9th percentile
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react | — | — | |
| react | — | — | |
| react | — | — | |
| meta | react-server-dom-parcel | >= 19.0.2 < 19.0.3 | 19.0.3 |
| meta | react-server-dom-parcel | >= 19.1.3 < 19.1.4 | 19.1.4 |
| meta | react-server-dom-parcel | >= 19.2.2 < 19.2.3 | 19.2.3 |
| meta | react-server-dom-turbopack | >= 19.0.2 < 19.0.3 | 19.0.3 |
| meta | react-server-dom-turbopack | >= 19.1.3 < 19.1.4 | 19.1.4 |
| meta | react-server-dom-turbopack | >= 19.2.2 < 19.2.3 | 19.2.3 |
| meta | react-server-dom-webpack | >= 19.0.2 < 19.0.3 | 19.0.3 |
| meta | react-server-dom-webpack | >= 19.1.3 < 19.1.4 | 19.1.4 |
| meta | react-server-dom-webpack | >= 19.2.2 < 19.2.3 | 19.2.3 |
| next | next | >= 13.3.1-canary.0 < 14.2.35 | 14.2.35 |
| next | next | >= 15.0.6 < 15.0.7 | 15.0.7 |
| next | next | >= 15.1.10 < 15.1.11 | 15.1.11 |
| next | next | >= 15.2.7 < 15.2.8 | 15.2.8 |
| next | next | >= 15.3.7 < 15.3.8 | 15.3.8 |
| next | next | >= 15.4.9 < 15.4.10 | 15.4.10 |
| next | next | >= 15.5.8 < 15.5.9 | 15.5.9 |
| next | next | >= 15.6.0-canary.59 < 15.6.0-canary.60 | 15.6.0-canary.60 |
| next | next | >= 16.0.9 < 16.0.10 | 16.0.10 |
| next | next | >= 16.1.0-canary.17 < 16.1.0-canary.19 | 16.1.0-canary.19 |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 13.3.0 < 14.2.35 | 14.2.35 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Denial of Service Vulnerability in React Server Components
ghsa·2025-12-12·CVSS 7.5
CVE-2025-67779 [HIGH] CWE-400 Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
We recommend updating immediately.
The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published on December 11th, 2025.
## Patches
Fixes were back ported
GHSA
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
ghsa·2025-12-12·CVSS 7.5
CVE-2025-55184 [HIGH] CWE-1395 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, wh
OSV
Denial of Service Vulnerability in React Server Components
osv·2025-12-12·CVSS 7.5
CVE-2025-67779 [HIGH] Denial of Service Vulnerability in React Server Components
Denial of Service Vulnerability in React Server Components
## Impact
It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.
We recommend updating immediately.
The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of:
- [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
- [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
- [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
These issues are present in the patches published on December 11th, 2025.
## Patches
Fixes were back ported
OSV
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
osv·2025-12-12·CVSS 7.5
CVE-2025-55184 [HIGH] Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, wh
Red Hat
next: React Server Components: Denial of Service via Unsafe Deserialization
vendor_redhat·2025-12-11·CVSS 7.5
CVE-2025-67779 [HIGH] CWE-502 next: React Server Components: Denial of Service via Unsafe Deserialization
next: React Server Components: Denial of Service via Unsafe Deserialization
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP request can be crafted and sent to any App Router
No detection rules found.
No public exploits indexed.
Mandiant
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
blogs_mandiant·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
## Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen
## Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.
GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT
Mandiant
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
blogs_mandiant·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Threat Intelligence
# Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
December 12, 2025
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen
### Introduction
On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups.
GTIG has identifie
Wiz
CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-67779 [CRITICAL] CVE-2025-67779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67779 :
React Server Components vulnerability analysis and mitigation
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Da
Wiz
GHSA-c6m7-q6pr-c64r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-c6m7-q6pr-c64r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-c6m7-q6pr-c64r :
Vite RSC Plugin vulnerability analysis and mitigation
## Impact
@vitejs/plugin-rsc
react-server-dom-webpack
## Patches
@vitejs/[email protected]
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Dec 12, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
Wiz
GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-55184 [HIGH] GHSA-5j59-xgg2-r9c4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j59-xgg2-r9c4 :
Next.js vulnerability analysis and mitigation
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779 .
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustaine
Wiz
CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67489 [MEDIUM] CVE-2025-67489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67489 :
Vite RSC Plugin vulnerability analysis and mitigation
@vitejs/plugin-rs provides React Server Components (RSC) support for Vite. Versions 0.5.5 and below are vulnerable to arbitrary remote code execution on the development server through unsafe dynamic imports in server function APIs (loadServerAction, decodeReply, decodeAction) when integrated into RSC applications that expose server function endpoints. Attackers with network access to the development server can read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using vite --host to expose the server on all network interfaces. This issue is fixed in version 0.5.6.
Sou
Wiz
GHSA-cpqf-f22c-r95x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
[MEDIUM] GHSA-cpqf-f22c-r95x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cpqf-f22c-r95x :
Vite RSC Plugin vulnerability analysis and mitigation
## Impact
@vitejs/plugin-rsc
react-server-dom-webpack
## Patches
@vitejs/[email protected]
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 12, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
CV
Wiz
CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55183 [CRITICAL] CVE-2025-55183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55183 :
React Server Components vulnerability analysis and mitigation
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Source : NVD
## 5.3
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.3
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Ha
Wiz
CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55184 [CRITICAL] CVE-2025-55184 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55184 :
React Server Components vulnerability analysis and mitigation
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Source : NVD
## 7.5
Score
Published December 11, 2025
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
React Server Components
Next.js
Has Public Exploit Yes
Has CISA KEV Exploit N
Wiz
CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23864 [CRITICAL] CVE-2026-23864 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23864 :
React Server Components vulnerability analysis and mitigation
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
Source : NVD
## 7.5
Score
Published January 26, 2026
Severity HIGH
Wiz
CVE-2025-68155 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68155 [MEDIUM] CVE-2025-68155 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68155 :
Vite RSC Plugin vulnerability analysis and mitigation
/__vite_rsc_findSourceMapURL
@vitejs/plugin-rsc
file://
filename
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Vite RSC Plugin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 67.7
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
@vitejs/plugin-rsc
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 17, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Vite RSC Plugin vulnerabilities:
CVE ID
Severity
Score
Technologi
2025-12-12
Published