Next Vulnerable to Denial of Service with Server Components

GHSA-mwv6-3258-q52c

Published Dec 11, 2025 · Modified Feb 4, 2026

Description

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
PACKAGE https://github.com/vercel/next.js
WEB https://nextjs.org/blog/security-update-2025-12-11
WEB https://www.cve.org/CVERecord?id=CVE-2025-55184

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes