CVE-2025-67779

Dec. 12, 2025, 7:16 p.m.

7.5
High

Description

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Product(s) Impacted

Vendor Product Versions
Facebook
  • React
  • 19.0.2, 19.1.3, 19.2.2
Vercel
  • Next.js
  • *, 15.6.0, 16.1.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-400
Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a facebook react 19.0.2 / / / / / / /
a facebook react 19.1.3 / / / / / / /
a facebook react 19.2.2 / / / / / / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js 15.6.0 - / / / node.js / /
a vercel next.js 15.6.0 canary0 / / / node.js / /
a vercel next.js 15.6.0 canary1 / / / node.js / /
a vercel next.js 15.6.0 canary10 / / / node.js / /
a vercel next.js 15.6.0 canary11 / / / node.js / /
a vercel next.js 15.6.0 canary12 / / / node.js / /
a vercel next.js 15.6.0 canary13 / / / node.js / /
a vercel next.js 15.6.0 canary14 / / / node.js / /
a vercel next.js 15.6.0 canary15 / / / node.js / /
a vercel next.js 15.6.0 canary16 / / / node.js / /
a vercel next.js 15.6.0 canary17 / / / node.js / /
a vercel next.js 15.6.0 canary18 / / / node.js / /
a vercel next.js 15.6.0 canary19 / / / node.js / /
a vercel next.js 15.6.0 canary2 / / / node.js / /
a vercel next.js 15.6.0 canary20 / / / node.js / /
a vercel next.js 15.6.0 canary21 / / / node.js / /
a vercel next.js 15.6.0 canary22 / / / node.js / /
a vercel next.js 15.6.0 canary23 / / / node.js / /
a vercel next.js 15.6.0 canary24 / / / node.js / /
a vercel next.js 15.6.0 canary25 / / / node.js / /
a vercel next.js 15.6.0 canary26 / / / node.js / /
a vercel next.js 15.6.0 canary27 / / / node.js / /
a vercel next.js 15.6.0 canary28 / / / node.js / /
a vercel next.js 15.6.0 canary29 / / / node.js / /
a vercel next.js 15.6.0 canary3 / / / node.js / /
a vercel next.js 15.6.0 canary30 / / / node.js / /
a vercel next.js 15.6.0 canary31 / / / node.js / /
a vercel next.js 15.6.0 canary32 / / / node.js / /
a vercel next.js 15.6.0 canary33 / / / node.js / /
a vercel next.js 15.6.0 canary34 / / / node.js / /
a vercel next.js 15.6.0 canary35 / / / node.js / /
a vercel next.js 15.6.0 canary36 / / / node.js / /
a vercel next.js 15.6.0 canary37 / / / node.js / /
a vercel next.js 15.6.0 canary38 / / / node.js / /
a vercel next.js 15.6.0 canary39 / / / node.js / /
a vercel next.js 15.6.0 canary4 / / / node.js / /
a vercel next.js 15.6.0 canary40 / / / node.js / /
a vercel next.js 15.6.0 canary41 / / / node.js / /
a vercel next.js 15.6.0 canary42 / / / node.js / /
a vercel next.js 15.6.0 canary43 / / / node.js / /
a vercel next.js 15.6.0 canary44 / / / node.js / /
a vercel next.js 15.6.0 canary45 / / / node.js / /
a vercel next.js 15.6.0 canary46 / / / node.js / /
a vercel next.js 15.6.0 canary47 / / / node.js / /
a vercel next.js 15.6.0 canary48 / / / node.js / /
a vercel next.js 15.6.0 canary49 / / / node.js / /
a vercel next.js 15.6.0 canary5 / / / node.js / /
a vercel next.js 15.6.0 canary50 / / / node.js / /
a vercel next.js 15.6.0 canary51 / / / node.js / /
a vercel next.js 15.6.0 canary52 / / / node.js / /
a vercel next.js 15.6.0 canary53 / / / node.js / /
a vercel next.js 15.6.0 canary54 / / / node.js / /
a vercel next.js 15.6.0 canary55 / / / node.js / /
a vercel next.js 15.6.0 canary56 / / / node.js / /
a vercel next.js 15.6.0 canary57 / / / node.js / /
a vercel next.js 15.6.0 canary58 / / / node.js / /
a vercel next.js 15.6.0 canary59 / / / node.js / /
a vercel next.js 15.6.0 canary6 / / / node.js / /
a vercel next.js 15.6.0 canary7 / / / node.js / /
a vercel next.js 15.6.0 canary8 / / / node.js / /
a vercel next.js 15.6.0 canary9 / / / node.js / /
a vercel next.js 16.1.0 - / / / node.js / /
a vercel next.js 16.1.0 canary0 / / / node.js / /
a vercel next.js 16.1.0 canary1 / / / node.js / /
a vercel next.js 16.1.0 canary10 / / / node.js / /
a vercel next.js 16.1.0 canary11 / / / node.js / /
a vercel next.js 16.1.0 canary12 / / / node.js / /
a vercel next.js 16.1.0 canary13 / / / node.js / /
a vercel next.js 16.1.0 canary14 / / / node.js / /
a vercel next.js 16.1.0 canary15 / / / node.js / /
a vercel next.js 16.1.0 canary16 / / / node.js / /
a vercel next.js 16.1.0 canary17 / / / node.js / /
a vercel next.js 16.1.0 canary18 / / / node.js / /
a vercel next.js 16.1.0 canary2 / / / node.js / /
a vercel next.js 16.1.0 canary3 / / / node.js / /
a vercel next.js 16.1.0 canary4 / / / node.js / /
a vercel next.js 16.1.0 canary5 / / / node.js / /
a vercel next.js 16.1.0 canary6 / / / node.js / /
a vercel next.js 16.1.0 canary7 / / / node.js / /
a vercel next.js 16.1.0 canary8 / / / node.js / /
a vercel next.js 16.1.0 canary9 / / / node.js / /

References

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-67779

Tags

cve-assign@fb.com
2025-12-12
CVE-2025-67779

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Dec. 12, 2025, 12:15 a.m.
Last Modified: Dec. 12, 2025, 7:16 p.m.

Status : Modified

Source

cve-assign@fb.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-67779 using threat intelligence.

  • ANGRYREBEL.LINUX
  • HISONIC
  • SNOWLIGHT
  • XMRig
  • MINOCAT
  • COMPOOD

Linked Attack Reports

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.