Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-67779

Опубликовано: 11 дек. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service. This CVE has been issued as a complete fix for CVE-2025-55184 which was incomplete with initial fix.

Отчет

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and did not fully prevent denial of service attacks in all payload types. A complete fix has been issued under this CVE-2025-67779.

Additionally, no Red Hat software includes the directly affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack). However, the reference implementation of React Server Components is used by other projects such as Next.js. The packages listed here include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10firefoxNot affected
Red Hat Enterprise Linux 10thunderbirdNot affected
Red Hat Enterprise Linux 7firefoxNot affected
Red Hat Enterprise Linux 8firefoxNot affected
Red Hat Enterprise Linux 8thunderbirdNot affected
Red Hat Enterprise Linux 9dotnet7.0Not affected
Red Hat Enterprise Linux 9firefoxNot affected
Red Hat Enterprise Linux 9thunderbirdNot affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/disk-image-cuda-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2421678next: React Server Components: Denial of Service via Unsafe Deserialization

EPSS

Процентиль: 32%
0.0013
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-67779

CVSS3: 7.5
nvd
3 месяца назад

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

github логотип

GHSA-7gmr-mq3h-m5h9

CVSS3: 7.5
github
3 месяца назад

Denial of Service Vulnerability in React Server Components

EPSS

Процентиль: 32%
0.0013
Низкий

7.5 High

CVSS3