CVE-2025-55184

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.1 react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack

Description A pre-authentication denial of service issue exists due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can lead to an infinite loop, causing the server process to hang and potentially preventing further HTTP requests from being served. The issue affects applications utilizing React Server Components and can be triggered by sending malicious HTTP requests to any App Router endpoint, resulting in server hangs and high CPU usage. No authentication is required for exploitation, and the issue is a direct result of deserialization risks.

Recommendations Update to a newer version that contains a fix for this vulnerability.