Vulnerability Description
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| React | 19.0.2 | |
| Vercel | Next.Js | >= 13.3.0, < 14.2.35 |
Related Weaknesses (CWE)
References
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-Vendor Advisory
- https://www.facebook.com/security/advisories/cve-2025-67779Vendor Advisory
FAQ
What is CVE-2025-67779?
CVE-2025-67779 is a vulnerability with a CVSS score of 7.5 (HIGH). It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0....
How severe is CVE-2025-67779?
CVE-2025-67779 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67779?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook React, Vercel Next.Js.