CVE-2025-67779

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions React versions 19.0.2 through 19.2.2

Description An incomplete fix for a previous issue allows for a denial of service attack in React Server Components. Unsafe deserialization of payloads from HTTP requests to Server Function endpoints can cause an infinite loop, potentially hanging the server process and preventing it from serving future requests. The issue affects Server Function endpoints and involves payloads that trigger the infinite loop.

Recommendations React version 19.2.3 contains a fix for this vulnerability. React versions 19.0.2 through 19.2.2 should be updated to version 19.2.3.

Fix

DoS

Resource Exhaustion

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-502

Related Identifiers

CVE-2025-67779

Affected Products

React Server Components

CVE-2025-67779

Weakness Enumeration

Related Identifiers

Affected Products

References · 33