Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-55184
Good to know:
Date: December 11, 2025
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Top Fix
Upgrade Version
Upgrade to version react-server-dom-webpack - 19.0.3;react-server-dom-webpack - 19.1.4;react-server-dom-webpack - 19.2.3;react-server-dom-webpack - 19.0.2;react-server-dom-webpack - 19.1.3;react-server-dom-webpack - 19.2.2;react-server-dom-parcel - 19.0.3;react-server-dom-parcel - 19.1.4;react-server-dom-parcel - 19.2.3;react-server-dom-parcel - 19.1.3;react-server-dom-parcel - 19.2.2;react-server-dom-turbopack - 19.0.3;react-server-dom-turbopack - 19.1.4;react-server-dom-turbopack - 19.2.3;react-server-dom-turbopack - 19.0.2;react-server-dom-turbopack - 19.1.3;react-server-dom-turbopack - 19.2.2;next - 16.0.7;next - 15.5.7;next - 15.4.8;next - 15.3.6;next - 15.2.6;next - 15.1.9;next - 15.0.5
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | HIGH |