React Server Components pre-auth DoS <19.3 via insecure payload deserialization
CVE-2025-55184 Published on December 11, 2025
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Affected Versions
Meta react-server-dom-webpack:- Version 19.0.0, <= 19.0.1 is affected.
- Version 19.1.0, <= 19.1.2 is affected.
- Version 19.2.0, <= 19.2.1 is affected.
- Version 19.0.0, <= 19.0.1 is affected.
- Version 19.1.0, <= 19.1.2 is affected.
- Version 19.2.0, <= 19.2.1 is affected.
- Version 19.0.0, <= 19.0.1 is affected.
- Version 19.1.0, <= 19.1.2 is affected.
- Version 19.2.0, <= 19.2.1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-55184
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | react-server-dom-webpack | >= 19.2.0, < 19.2.2 | 19.2.2 |
| npm | react-server-dom-webpack | >= 19.2.2, < 19.2.3 | 19.2.3 |
| npm | next | >= 13.3.1-canary.0, < 14.2.35 | 14.2.35 |
| npm | next | >= 15.0.6, < 15.0.7 | 15.0.7 |
| npm | next | >= 15.1.10, < 15.1.11 | 15.1.11 |
| npm | next | >= 15.2.7, < 15.2.8 | 15.2.8 |
| npm | next | >= 15.3.7, < 15.3.8 | 15.3.8 |
| npm | next | >= 15.4.9, < 15.4.10 | 15.4.10 |
| npm | next | >= 15.5.8, < 15.5.9 | 15.5.9 |
| npm | next | >= 15.6.0-canary.59, < 15.6.0-canary.60 | 15.6.0-canary.60 |
| npm | next | >= 16.0.9, < 16.0.10 | 16.0.10 |
| npm | next | >= 16.1.0-canary.17, < 16.1.0-canary.19 | 16.1.0-canary.19 |
| npm | react-server-dom-parcel | >= 19.0.2, < 19.0.3 | 19.0.3 |
| npm | react-server-dom-parcel | >= 19.1.3, < 19.1.4 | 19.1.4 |
| npm | react-server-dom-parcel | >= 19.2.2, < 19.2.3 | 19.2.3 |
| npm | react-server-dom-turbopack | >= 19.0.2, < 19.0.3 | 19.0.3 |
| npm | react-server-dom-turbopack | >= 19.1.3, < 19.1.4 | 19.1.4 |
| npm | react-server-dom-turbopack | >= 19.2.2, < 19.2.3 | 19.2.3 |
| npm | react-server-dom-webpack | >= 19.0.2, < 19.0.3 | 19.0.3 |
| npm | react-server-dom-webpack | >= 19.1.3, < 19.1.4 | 19.1.4 |
| npm | react-server-dom-turbopack | >= 19.2.0, < 19.2.2 | 19.2.2 |
| npm | next | >= 13.3.0, < 14.2.34 | 14.2.34 |
| npm | next | >= 15.0.0-canary.0, < 15.0.6 | 15.0.6 |
| npm | next | >= 15.1.1-canary.0, < 15.1.10 | 15.1.10 |
| npm | next | >= 15.2.0-canary.0, < 15.2.7 | 15.2.7 |
| npm | next | >= 15.3.0-canary.0, < 15.3.7 | 15.3.7 |
| npm | next | >= 15.4.0-canary.0, < 15.4.9 | 15.4.9 |
| npm | next | >= 15.5.1-canary.0, < 15.5.8 | 15.5.8 |
| npm | next | >= 15.6.0-canary.0, < 15.6.0-canary.59 | 15.6.0-canary.59 |
| npm | next | >= 16.0.0-beta.0, < 16.0.9 | 16.0.9 |
| npm | next | >= 16.1.0-canary.0, < 16.1.0-canary.17 | 16.1.0-canary.17 |
| npm | react-server-dom-parcel | >= 19.0.0, < 19.0.2 | 19.0.2 |
| npm | react-server-dom-turbopack | >= 19.0.0, < 19.0.2 | 19.0.2 |
| npm | react-server-dom-webpack | >= 19.0.0, < 19.0.2 | 19.0.2 |
| npm | react-server-dom-parcel | >= 19.1.0, < 19.1.3 | 19.1.3 |
| npm | react-server-dom-parcel | >= 19.2.0, < 19.2.2 | 19.2.2 |
| npm | react-server-dom-turbopack | >= 19.1.0, < 19.1.3 | 19.1.3 |
| npm | react-server-dom-webpack | >= 19.1.0, < 19.1.3 | 19.1.3 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.