Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-55184

Опубликовано: 11 дек. 2025
Источник: redhat
CVSS3: 7.5
EPSS Средний

Описание

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service.

Отчет

No Red Hat software includes the directly affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack). However, the reference implementation of React Server Components is used by other projects such as Next.js. The packages listed here include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10firefoxNot affected
Red Hat Enterprise Linux 10thunderbirdNot affected
Red Hat Enterprise Linux 7firefoxNot affected
Red Hat Enterprise Linux 8firefoxNot affected
Red Hat Enterprise Linux 8thunderbirdNot affected
Red Hat Enterprise Linux 9dotnet7.0Not affected
Red Hat Enterprise Linux 9firefoxNot affected
Red Hat Enterprise Linux 9thunderbirdNot affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/disk-image-cuda-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2421588next: React Server Components: Denial of Service via unsafe HTTP deserialization

EPSS

Процентиль: 96%
0.23574
Средний

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-55184

CVSS3: 7.5
nvd
3 месяца назад

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

github логотип

GHSA-2m3v-v2m8-q956

CVSS3: 7.5
github
3 месяца назад

Denial of Service Vulnerability in React Server Components

EPSS

Процентиль: 96%
0.23574
Средний

7.5 High

CVSS3