Pre-authentication Denial of Service Vulnerability in React Server Components
CVE-2025-55184
Key Information:
- Vendor
Meta
- Vendor
- CVE Published:
- 11 December 2025
Badges
What is CVE-2025-55184?
CVE-2025-55184 is a pre-authentication denial of service (DoS) vulnerability identified in React Server Components, a technology developed by Meta for building server-rendered web applications efficiently. This vulnerability affects multiple versions of the software, specifically 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1, as well as associated packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw arises from the insecure deserialization of HTTP request payloads directed at Server Function endpoints, which can lead to an infinite loop. This looping behavior may hang the server process, effectively preventing it from handling future HTTP requests. Such an outage can have serious ramifications for organizations relying on this technology for their web applications, disrupting user access and services.
Potential impact of CVE-2025-55184
-
Service Disruption: Exploiting this vulnerability can lead to an infinite loop that stalls the server process, resulting in denial of service for legitimate users. This can have significant operational repercussions, particularly for organizations that depend on consistent and reliable application availability.
-
Increased Downtime: The inability to process HTTP requests effectively means that users will encounter repeated access failures, potentially leading to increased downtime and loss of user trust. This could impact business operations and customer satisfaction significantly.
-
Resource Drain: When a server is caught in an endless loop due to this vulnerability, it will consume system resources without performing any productive work. This can overload servers and necessitate manual intervention to restore normal operation, diverting IT resources from other critical tasks and potentially leading to longer recovery times.
Affected Version(s)
react-server-dom-parcel 19.0.0 <= 19.0.1
react-server-dom-parcel 19.1.0 <= 19.1.2
react-server-dom-parcel 19.2.0 <= 19.2.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CryptopolitanCritical React flaw triggers a wave of crypto wallet drainers - Cryptopolitan
SEAL Security researchers warned that a critical React flaw fueled a surge in wallet-draining attacks on crypto websites.
3 weeks ago
CVE-2025-55183 and CVE-2025-55184: New React RSC Vulnerabilities Expose Applications to Denial of Service Attacks and Source Code Leaks | SOC Prime
Explore details for CVE-2025-55183 and CVE-2025-55184, React RSC vulnerabilities enabling DoS and source disclosure, with an analysis on SOC Prime blog.
3 weeks ago
theregister.comNew React vulns leak secrets, invite DoS attacks
If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server...
4 weeks ago
References
EPSS Score
17% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by The Hacker News
- π
Vulnerability started trending
Vulnerability published
Vulnerability Reserved