Home

Description

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

PUBLISHED Reserved 2025-08-08 | Published 2025-12-11 | Updated 2025-12-15 | Assigner Meta




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

(CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption

Product status

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

References

github.com/KingHacker353/CVE-2025-55184 exploit

www.facebook.com/security/advisories/cve-2025-55184

react.dev/...source-code-exposure-in-react-server-components

cve.org (CVE-2025-55184)

nvd.nist.gov (CVE-2025-55184)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.