CVE-2025-55184

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.1 react-server-dom-parcel versions 19.0.0 through 19.2.1 react-server-dom-turbopack versions 19.0.0 through 19.2.1 react-server-dom-webpack versions 19.0.0 through 19.2.1

Description A pre-authentication denial of service issue exists in React Server Components. The vulnerable code deserializes HTTP request payloads unsafely to Server Function endpoints, potentially causing an infinite loop that can hang the server process and disrupt service. This can lead to server crashes or high CPU usage. The issue affects all versions handling React Server Component requests.

Recommendations Update to React Server Components version 19.0.2 or later. Update to react-server-dom-parcel version 19.0.2 or later. Update to react-server-dom-turbopack version 19.0.2 or later. Update to react-server-dom-webpack version 19.0.2 or later.

Exploit

Fix

DoS

RCE

Resource Exhaustion

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-502

Related Identifiers

CVE-2025-55184

GHSA-2M3V-V2M8-Q956

Affected Products

React Server Components

CVE-2025-55184

Weakness Enumeration

Related Identifiers

Affected Products

References · 104