|
|
We're informing you about two additional vulnerabilities (CVE-2025-55184 and CVE-2025-55183) identified in the React Server Components (RSC) implementation, affecting frameworks such as Next.js. |
The React2Shell incident sparked community research into React Server Components, and these vulnerabilities were discovered by an external security researcher through Vercel and Meta's bug bounty program. We're grateful for this community effort. |
There is no evidence these vulnerabilities have been exploited. |
What we've found: - CVE-2025-55184 (High Severity – Denial of Service): A malicious HTTP request sent to any App Router endpoint can, when deserialized, cause the server process to hang and consume CPU. This impacts all versions handling RSC requests. The initial fix was incomplete and did not fully prevent denial-of-service attacks for all payload types, resulting in CVE-2025-67779.
- CVE-2025-55183 (Medium Severity – Source Code Exposure): A malicious HTTP request sent to any App Router endpoint can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into a Server Action's code.
|
|
|
What you should do: Update your applications to the latest patched version Even customers who have patched against React2Shell need to upgrade to the latest version. Updates to React2Shell will continue to be posted in the React2Shell Security Bulletin.
|
Visit the latest Security Bulletin to learn more and for guidance on automated fixes. |
We will continue to monitor for emerging risks and remain committed to transparent, timely disclosures. |
- The Vercel Security Team |
|
|
|
|
|
|
