Denial-of-Service Vulnerability in React Server Components (CVE-2025-55184)
A denial-of-service (DoS) vulnerability, tracked as CVE-2025-55184, has been identified in React Server Components (RSC) affecting versions 19.0.0 through 19.2.1 and related packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw arises from unsafe deserialization of payloads in the React Flight protocol, allowing specially crafted HTTP requests to trigger infinite loops or hung server states, rendering affected applications unresponsive. This issue is particularly relevant for applications using Next.js App Router or other RSC-enabled frameworks. The vulnerability is distinct from the earlier React2Shell (CVE-2025-55182) RCE but shares the same deserialization layer, and an incomplete initial patch led to a follow-up vulnerability, CVE-2025-67779, requiring further updates.
Security advisories confirm that F5 products are not directly affected by CVE-2025-55184, but F5's WAF solutions can be used to mitigate the impact for organizations using vulnerable backend applications. Remediation steps include upgrading to the latest patched versions of React and Next.js, ensuring all related vulnerabilities are addressed, and rescanning for follow-up CVEs. Organizations are advised not to rely solely on early patches and to validate that all vulnerable RSC packages and serialization paths are fully remediated to prevent exploitation of this DoS flaw.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Aikido publishes technical analysis of React and Next.js DoS flaw
Aikido published an explainer describing CVE-2025-55184 as a denial-of-service vulnerability affecting React and Next.js. The post provided public technical context about the flaw after the initial advisory.
F5 publishes advisory for React vulnerability CVE-2025-55184
F5 issued product advisory K000158154 covering the React framework vulnerability tracked as CVE-2025-55184. This marks a public vendor disclosure of the issue and its relevance to F5 customers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Multiple vulnerabilities have been identified in React Server Components (RSC), specifically CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, affecting several versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. These vulnerabilities, discovered following the React2Shell incident, include a high-severity denial-of-service (DoS) flaw (CVE-2025-55184) caused by unsafe deserialization of structured input in the RSC Flight protocol, which can be exploited by sending specially crafted requests that trigger infinite loops or event-loop lockups on the server. The vulnerabilities also raise concerns about potential source code exposure and highlight the risk of residual flaws being discovered after major disclosures. The React Foundation has issued advisories and patches for affected versions, and the Canadian Centre for Cyber Security has urged administrators to update impacted libraries and frameworks, including popular tools such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. No public exploits are currently available, but the vulnerabilities have a higher-than-average likelihood of exploitation, emphasizing the importance of prompt remediation and ongoing vigilance for follow-on issues after initial vulnerability disclosures.
Mar 21, 2026
High-severity DoS in React Server Components (CVE-2026-23864) with incomplete prior fixes
**React** maintainers disclosed that earlier mitigations for denial-of-service issues in **React Server Components** were **incomplete**, leaving multiple DoS conditions still exploitable as **CVE-2026-23864** (CVSS **7.5**). The issue affects the `react-server-dom-*` packages used by bundlers—`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`—across versions **19.0.0–19.2.3**. An attacker can send **specially crafted HTTP requests** to **Server Function endpoints** to drive resource exhaustion, potentially causing **server crashes**, **out-of-memory** conditions, or **excessive CPU usage**; applications that do not use a server-side React Server Components/Server Functions setup (e.g., purely client-side SPAs) are not impacted. **Vercel** reported the vulnerabilities were responsibly disclosed and emphasized they **do not enable RCE**, but can still materially impact availability for affected deployments, including those using **Next.js** and other frameworks/bundlers that embed React Server Components. Vercel deployed new **WAF rules** to provide automatic mitigation for projects hosted on its platform, while warning that WAF protections are not a substitute for patching. Recommended remediation is to upgrade to patched releases: **React** `19.0.4`, `19.1.5`, `19.2.4`, and updated downstream framework versions (including multiple **Next.js** fixed releases) as provided by maintainers.
Mar 21, 2026Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Security researchers have identified three new vulnerabilities in React Server Components (RSC) following the recent patch for the critical React2Shell exploit. These flaws include two high-severity Denial-of-Service (DoS) vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and a medium-severity Source Code Exposure vulnerability (CVE-2025-55183). The DoS vulnerabilities allow attackers to send malicious HTTP requests to Server Function endpoints, triggering infinite loops that hang the server and exhaust CPU resources, effectively taking applications offline. The source code exposure flaw enables attackers to craft HTTP requests that can leak the source code of server functions, potentially exposing hardcoded secrets or sensitive logic, though runtime secrets remain protected. The affected packages are `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, impacting React versions 19.0.0 through 19.2.2 and frameworks such as Next.js, Waku, and React Router. Initial patches released for these vulnerabilities were incomplete, necessitating immediate upgrades to versions 19.0.3, 19.1.4, and 19.2.3 to ensure full protection. The vulnerabilities were discovered by security researchers during attempts to bypass previous mitigations, highlighting the importance of rapid patch adoption and ongoing scrutiny of critical code paths after major disclosures. Users are strongly advised to update affected packages and monitor official channels for further security updates.
Mar 21, 2026