Denial of Service Vulnerability in React Server Components by Meta
CVE-2025-67779

7.5HIGH

Key Information:

Vendor

Meta

Status
React-server-dom-parcel
React-server-dom-turbopack
React-server-dom-webpack
Vendor
CVE Published:
11 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2025-67779?

A vulnerability exists in specific versions of React Server Components where an incomplete fix for a previous issue allows unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This flaw can lead to a denial of service condition, resulting in an infinite loop that blocks the server process, hindering the ability to serve subsequent HTTP requests.

Affected Version(s)

react-server-dom-parcel 19.0.2

react-server-dom-parcel 19.1.3

react-server-dom-parcel 19.2.2

News Articles

favicon imageSonatype

Three New React Vulnerabilities Surface on the Heels of React2Shell

New React vulnerabilities widen the impact of React2Shell, exposing risks from RCE to DoS and source leaks. Teams must upgrade and mitigate immediately.

6 days ago

favicon imagetheregister.com

New React vulns leak secrets, invite DoS attacks

If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server...

6 days ago

References

https://www.facebook.com/security/advisories/cve-2025-67779
x_refsource_CONFIRM
https://react.dev/blog/2025/12/11/denial-of-service-and-s...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by theregister.com

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67779 : Denial of Service Vulnerability in React Server Components by Meta