CVE-2025-55184

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.1 react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack

Description A pre-authentication denial of service issue exists in React Server Components. The vulnerable code deserializes payloads from HTTP requests to Server Function endpoints in an unsafe manner, potentially leading to an infinite loop that can hang the server process and disrupt service. Sending malicious HTTP requests to any App Router endpoint can cause server hangs and high CPU usage.

Recommendations Update to a newer version of React Server Components to address this issue. Update the react-server-dom-parcel package to a newer version. Update the react-server-dom-turbopack package to a newer version. Update the react-server-dom-webpack package to a newer version.