CVE-2025-67779

CVSS v3.1

7.5

High

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions React versions 19.0.2 through 19.2.2

Description An incomplete fix for a previous issue allows for a denial of service attack in React Server Components. Specifically, unsafe deserialization of payloads from HTTP requests to Server Function endpoints can cause an infinite loop, potentially hanging the server process and preventing it from serving future requests. This issue affects servers utilizing React Server Components. The issue can be triggered by certain payload shapes.

Recommendations React versions 19.0.2 through 19.1.3 should be updated to version 19.2.3. React version 19.2.2 should be updated to version 19.2.3.

Fix

DoS

Resource Exhaustion

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-502

Related Identifiers

CVE-2025-67779

GHSA-7GMR-MQ3H-M5H9

Affected Products

React Server Components

CVE-2025-67779

Weakness Enumeration

Related Identifiers

Affected Products

References · 40