CVE-2025-55184

high

Description

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/

https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/

https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/

https://www.databreachtoday.com/nation-state-cybercrime-exploits-tied-to-react2shell-a-30285

https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/

https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

https://nextjs.org/blog/security-update-2025-12-11

https://www.facebook.com/security/advisories/cve-2025-55184

https://github.com/KingHacker353/CVE-2025-55184

Details

Source: Mitre, NVD

Published: 2025-12-11

Updated: 2025-12-15

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.15783

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored

Detections

Analytics