CVE-2025-55184

Summary

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Affected Software

VendorProductVersion RangeStatus
Metareact-server-dom-webpack19.0.0 <= 19.0.1affected
Metareact-server-dom-webpack19.1.0 <= 19.1.2affected
Metareact-server-dom-webpack19.2.0 <= 19.2.1affected
Metareact-server-dom-turbopack19.0.0 <= 19.0.1affected
Metareact-server-dom-turbopack19.1.0 <= 19.1.2affected
Metareact-server-dom-turbopack19.2.0 <= 19.2.1affected
Metareact-server-dom-parcel19.0.0 <= 19.0.1affected
Metareact-server-dom-parcel19.1.0 <= 19.1.2affected
Metareact-server-dom-parcel19.2.0 <= 19.2.1affected

Weaknesses

  • (CWE-502) Deserialization of Untrusted Data. (CWE-400) Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References