Skip to content

[GHSA-5j59-xgg2-r9c4] Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up #6635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xpertforextradeinc wants to merge 2 commits into
base: xpertforextradeinc/advisory-improvement-6635
Choose a base branch
from
+2 −6
Open

[GHSA-5j59-xgg2-r9c4] Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up #6635

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
06ed6cb
Improve GHSA-5j59-xgg2-r9c4
xpertforextradeinc Jan 10, 2026
9cefa04
Improve GHSA-5j59-xgg2-r9c4
xpertforextradeinc Jan 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 2 additions & 6 deletions advisories/github-reviewed/2025/12/GHSA-5j59-xgg2-r9c4/GHSA-5j59-xgg2-r9c4.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"schema_version": "1.4.0",
"id": "GHSA-5j59-xgg2-r9c4",
"modified": "2025-12-12T17:21:58Z",
"modified": "2025-12-12T17:22:00Z",
"published": "2025-12-12T17:21:57Z",
"aliases": [],
"summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
"details": "It was found that the fix addressing [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully prevent denial-of-service attacks in all payload types. This affects React package versions 19.0.2, 19.1.3, and 19.2.2 and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious HTTP request can be crafted and sent to any Server Function endpoint that, when deserialized, can enter an infinite loop within the React Server Components runtime. This can cause the server process to hang and consume CPU, resulting in denial of service in unpatched environments.",
"details": "It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956)in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.\n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.",
"severity": [
{
"type": "CVSS_V3",
Expand Down Expand Up @@ -228,10 +228,6 @@
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2025-67779"
}
],
"database_specific": {
Expand Down