PT-2025-50723 · Meta · React Server Components
Published
2025-12-11
·
Updated
2026-03-22
·
CVE-2025-55184
CVSS v3.1
7.5
High
| AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
React Server Components versions 19.0.0 through 19.2.1
react-server-dom-parcel versions 19.0.0 through 19.2.1
react-server-dom-turbopack versions 19.0.0 through 19.2.1
react-server-dom-webpack versions 19.0.0 through 19.2.1
Description
A pre-authentication denial of service issue exists in React Server Components. The vulnerable code deserializes HTTP request payloads unsafely to Server Function endpoints, potentially causing an infinite loop that can hang the server process and disrupt service. This can lead to server crashes or high CPU usage. The issue affects all versions handling React Server Component requests.
Recommendations
Update to React Server Components version 19.0.2 or later.
Update to react-server-dom-parcel version 19.0.2 or later.
Update to react-server-dom-turbopack version 19.0.2 or later.
Update to react-server-dom-webpack version 19.0.2 or later.
Exploit
Fix
RCE
DoS
Resource Exhaustion
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
React Server Components