Next.js Security Alert: Understanding CVE-2025-55184 and CVE-2025-55183

In mid-December 2025, the Next.js ecosystem was impacted by two critical security vulnerabilities affecting the App Router and React Server Components (RSC). These issues—CVE-2025-55184 (denial of service) and CVE-2025-55183 (source code exposure)—prompted urgent advisories from Vercel, the React team, and major hosting providers.

Both vulnerabilities originate from React’s Server Components deserialization logic and affect a wide range of modern Next.js applications. If your project uses the App Router and has not been upgraded recently, it may be at risk.

---

Overview of the Newly Disclosed Next.js Vulnerabilities

The vulnerabilities were publicly disclosed around December 11–12, 2025 and impact applications built with Next.js 13 through 16 using React Server Components.

• CVE-2025-55184 — A high-severity denial-of-service (DoS) vulnerability that allows attackers to exhaust server CPU resources.

• CVE-2025-55183 — A medium-severity information disclosure bug that can expose compiled source code of Server Actions.

Both issues stem from weaknesses in how React’s Flight protocol processes malformed input when handling Server Components and Server Actions.

---

CVE-2025-55184: Denial of Service in the App Router

CVE-2025-55184 allows an attacker to send a specially crafted HTTP request to an App Router endpoint backed by React Server Components. This request can trigger a non-terminating deserialization path, causing the Node.js process to consume CPU indefinitely.

Why This Is Dangerous

• A small number of malicious requests can overwhelm server workers

• Legitimate traffic may be blocked or delayed

• Auto-scaling environments may experience unexpected resource spikes

• Platform-level request termination does not fully eliminate the impact

Even though hosting providers like Vercel and Netlify eventually terminate hung requests, the availability and performance degradation is still severe in production environments.

---

CVE-2025-55183: Server Actions Source Code Exposure

The second vulnerability affects applications using Server Actions or Server Functions within the App Router. A malformed HTTP request can cause Next.js to return compiled server-side source code instead of a standard response.

Potential Impact

• Exposure of internal business logic

• Visibility into database queries and validation rules

• Easier discovery of additional attack vectors

• Risk of leaking hardcoded secrets if present in Server Actions

Vercel strongly warns against embedding secrets directly in Server Functions, as compiled output may inline sensitive values when exposed.

---

Affected Versions and Ecosystem Scope

According to Vercel’s security bulletin, the root cause lies in React 19 packages responsible for Server Components:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

Impacted Versions

• React: 19.0.0 through 19.2.1

• Next.js: 13.x, 14.x, 15.x, and 16.x (App Router only)

Because these packages are embedded in multiple frameworks and bundlers, the impact extends beyond Next.js to other RSC-enabled tooling as well.

Additionally, an incomplete initial fix for the DoS issue resulted in a follow-up advisory (CVE-2025-67779), requiring a second round of patches.

---

How to Patch Your Next.js Application

Mitigation requires immediate upgrades to patched versions of both Next.js and React.

Recommended Actions

1. Upgrade Next.js to the latest patched release for your major version

2. Upgrade React to a secure 19.x version

3. Reinstall dependencies and regenerate lockfiles

4. Redeploy your application

5. Verify that vulnerable react-server-dom-* packages are no longer present

Vercel emphasizes that partial upgrades are not sufficient—every affected project must apply the full set of patches.

---

Platform-Specific Guidance

Vercel-Hosted Applications

• Use the Security Actions Dashboard to identify affected projects

• Redeploy with patched dependencies

• Enable deployment protection features where possible

Self-Hosted Applications

• Manually upgrade Next.js and React

• Validate build artifacts

• Confirm runtime dependency resolution

---

Hardening App Router and Server Actions

Beyond patching, this incident highlights the need for stronger defensive practices around Server Components.

Security Best Practices

• Never hardcode secrets in Server Actions

• Use environment variables and secret managers

• Apply rate limiting and WAF rules

• Monitor unusual traffic patterns

• Integrate Software Composition Analysis (SCA) into CI/CD pipelines

Treat App Router endpoints as high-risk attack surfaces, especially when handling serialized input.

---

Conclusion

The disclosure of CVE-2025-55184 and CVE-2025-55183 serves as a critical reminder that modern frameworks introduce powerful capabilities—but also new security risks. React Server Components and Next.js App Router require careful dependency management, fast patch adoption, and strong security hygiene.

If you are running a production Next.js application, upgrading immediately is not optional. Staying current with framework updates and applying layered security controls is essential to protecting your users and your business logic.