CVE-2025-55184

Dec. 15, 2025, 5:15 p.m.

7.5
High

Description

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Product(s) Impacted

Vendor Product Versions
Facebook
  • React
  • *
Vercel
  • Next.js
  • *, 15.6.0, 16.1.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a facebook react / / / / / / / /
a facebook react / / / / / / / /
a facebook react / / / / / / / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js 15.6.0 - / / / node.js / /
a vercel next.js 15.6.0 canary0 / / / node.js / /
a vercel next.js 15.6.0 canary1 / / / node.js / /
a vercel next.js 15.6.0 canary10 / / / node.js / /
a vercel next.js 15.6.0 canary11 / / / node.js / /
a vercel next.js 15.6.0 canary12 / / / node.js / /
a vercel next.js 15.6.0 canary13 / / / node.js / /
a vercel next.js 15.6.0 canary14 / / / node.js / /
a vercel next.js 15.6.0 canary15 / / / node.js / /
a vercel next.js 15.6.0 canary16 / / / node.js / /
a vercel next.js 15.6.0 canary17 / / / node.js / /
a vercel next.js 15.6.0 canary18 / / / node.js / /
a vercel next.js 15.6.0 canary19 / / / node.js / /
a vercel next.js 15.6.0 canary2 / / / node.js / /
a vercel next.js 15.6.0 canary20 / / / node.js / /
a vercel next.js 15.6.0 canary21 / / / node.js / /
a vercel next.js 15.6.0 canary22 / / / node.js / /
a vercel next.js 15.6.0 canary23 / / / node.js / /
a vercel next.js 15.6.0 canary24 / / / node.js / /
a vercel next.js 15.6.0 canary25 / / / node.js / /
a vercel next.js 15.6.0 canary26 / / / node.js / /
a vercel next.js 15.6.0 canary27 / / / node.js / /
a vercel next.js 15.6.0 canary28 / / / node.js / /
a vercel next.js 15.6.0 canary29 / / / node.js / /
a vercel next.js 15.6.0 canary3 / / / node.js / /
a vercel next.js 15.6.0 canary30 / / / node.js / /
a vercel next.js 15.6.0 canary31 / / / node.js / /
a vercel next.js 15.6.0 canary32 / / / node.js / /
a vercel next.js 15.6.0 canary33 / / / node.js / /
a vercel next.js 15.6.0 canary34 / / / node.js / /
a vercel next.js 15.6.0 canary35 / / / node.js / /
a vercel next.js 15.6.0 canary36 / / / node.js / /
a vercel next.js 15.6.0 canary37 / / / node.js / /
a vercel next.js 15.6.0 canary38 / / / node.js / /
a vercel next.js 15.6.0 canary39 / / / node.js / /
a vercel next.js 15.6.0 canary4 / / / node.js / /
a vercel next.js 15.6.0 canary40 / / / node.js / /
a vercel next.js 15.6.0 canary41 / / / node.js / /
a vercel next.js 15.6.0 canary42 / / / node.js / /
a vercel next.js 15.6.0 canary43 / / / node.js / /
a vercel next.js 15.6.0 canary44 / / / node.js / /
a vercel next.js 15.6.0 canary45 / / / node.js / /
a vercel next.js 15.6.0 canary46 / / / node.js / /
a vercel next.js 15.6.0 canary47 / / / node.js / /
a vercel next.js 15.6.0 canary48 / / / node.js / /
a vercel next.js 15.6.0 canary49 / / / node.js / /
a vercel next.js 15.6.0 canary5 / / / node.js / /
a vercel next.js 15.6.0 canary50 / / / node.js / /
a vercel next.js 15.6.0 canary51 / / / node.js / /
a vercel next.js 15.6.0 canary52 / / / node.js / /
a vercel next.js 15.6.0 canary53 / / / node.js / /
a vercel next.js 15.6.0 canary54 / / / node.js / /
a vercel next.js 15.6.0 canary55 / / / node.js / /
a vercel next.js 15.6.0 canary56 / / / node.js / /
a vercel next.js 15.6.0 canary57 / / / node.js / /
a vercel next.js 15.6.0 canary58 / / / node.js / /
a vercel next.js 15.6.0 canary59 / / / node.js / /
a vercel next.js 15.6.0 canary6 / / / node.js / /
a vercel next.js 15.6.0 canary7 / / / node.js / /
a vercel next.js 15.6.0 canary8 / / / node.js / /
a vercel next.js 15.6.0 canary9 / / / node.js / /
a vercel next.js 16.1.0 - / / / node.js / /
a vercel next.js 16.1.0 canary0 / / / node.js / /
a vercel next.js 16.1.0 canary1 / / / node.js / /
a vercel next.js 16.1.0 canary10 / / / node.js / /
a vercel next.js 16.1.0 canary11 / / / node.js / /
a vercel next.js 16.1.0 canary12 / / / node.js / /
a vercel next.js 16.1.0 canary13 / / / node.js / /
a vercel next.js 16.1.0 canary14 / / / node.js / /
a vercel next.js 16.1.0 canary15 / / / node.js / /
a vercel next.js 16.1.0 canary16 / / / node.js / /
a vercel next.js 16.1.0 canary17 / / / node.js / /
a vercel next.js 16.1.0 canary18 / / / node.js / /
a vercel next.js 16.1.0 canary2 / / / node.js / /
a vercel next.js 16.1.0 canary3 / / / node.js / /
a vercel next.js 16.1.0 canary4 / / / node.js / /
a vercel next.js 16.1.0 canary5 / / / node.js / /
a vercel next.js 16.1.0 canary6 / / / node.js / /
a vercel next.js 16.1.0 canary7 / / / node.js / /
a vercel next.js 16.1.0 canary8 / / / node.js / /
a vercel next.js 16.1.0 canary9 / / / node.js / /

References

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55184
https://github.com/KingHacker353/CVE-2025-55184

Tags

cve-assign@fb.com
2025-12-11
CVE-2025-55184

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Dec. 11, 2025, 8:16 p.m.
Last Modified: Dec. 15, 2025, 5:15 p.m.

Status : Modified

Source

cve-assign@fb.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-55184 using threat intelligence.

  • ANGRYREBEL.LINUX
  • HISONIC
  • SNOWLIGHT
  • XMRig
  • MINOCAT
  • COMPOOD

Linked Attack Reports

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.