React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell

Key Takeaways

• CVE-2025-55184 is a denial-of-service (DoS) vulnerability in React Server Components (RSC), not a remote code execution flaw.
  
  
• The issue is closely related to React2Shell (CVE-2025-55182) and originates from the same React Flight protocol deserialization layer.
  
  
• Aikido already detects CVE-2025-55184 and provides an in-app checklist to help teams verify whether they’re actually exposed and fully remediated.
  
  
• A specially crafted request can trigger an infinite loop or hung state, making affected servers unresponsive.
  
  
• An incomplete initial patch led to a follow-up vulnerability, CVE-2025-67779, meaning some teams must upgrade again.
  
  
• Most impacted applications use Next.js App Router or other RSC-enabled frameworks.
  

TL;DR: Are You Still at Risk?

If you upgraded only to address CVE-2025-55182 (React2Shell), you may still be vulnerable.

CVE-2025-55184 affects adjacent RSC code paths and can allow attackers to take your app offline, even without gaining code execution. You should ensure you’re running the latest patched React and Next.js versions, including fixes for the follow-up CVE-2025-67779.

Remediation Steps

1. Upgrade React and RSC Packages

Ensure you are running the latest patched React releases that fully address both the RCE and DoS issues in the Flight protocol deserialization logic.

2. Upgrade Next.js and RSC Frameworks

• Next.js users should upgrade to the latest patched release in their major version line.
  
  
• Apps using the App Router or Server Functions are the most exposed.
  
  
• Avoid relying on early post-React2Shell patches alone, as some were incomplete.
  

3. Re-scan for Follow-Up CVEs

Because CVE-2025-55184’s initial fix was incomplete, you must confirm that:

• CVE-2025-67779 is also remediated
  
  
• No vulnerable transitive RSC dependencies remain
  

4. Validate With Aikido

Run a fresh scan to verify:

• Vulnerable RSC packages are fully removed
  
  
• Affected serialization paths are no longer reachable
  
  
• Your upgrade actually eliminates runtime exposure, not just the dependency flag
  

Background

On December 3rd the React ecosystem was rocked by a critical remote code execution vulnerability in React Server Components, CVE-2025-55182, widely dubbed React2Shell. In our previous blog, we explored how unsafe deserialization in the RSC “Flight” protocol allowed unauthenticated attackers to send crafted HTTP requests that could lead to full server takeover in default React/Next.js apps. 

Since then, as the industry rushed to patch and protect against 55182, additional weaknesses were uncovered in adjacent code paths, leading to new security advisories and CVEs. One of these is CVE-2025-55184, which while not a remote code execution flaw like React2Shell still represents a serious risk to availability. 

Deep Dive

What Is CVE-2025-55184?

CVE-2025-55184 is a denial-of-service vulnerability caused by unsafe handling of specially crafted input in the React Server Components runtime.

An attacker can send a malformed RSC request that:

• Triggers an infinite loop, or
  
  
• Forces the server into a hung state
  
  

Once triggered, the server may stop responding to legitimate traffic until restarted.

How It Relates to React2Shell

These vulnerabilities are not independent bugs:

• Both stem from the React Flight protocol, which allows structured data from the client to influence server-side rendering and execution.
  
  
• CVE-2025-55184 was discovered during audits following React2Shell, as researchers explored adjacent deserialization logic.
  
  
• Additional related issues emerged, including:
  
  
  
  • CVE-2025-55183 (source exposure)
    
    
  • CVE-2025-67779 (incomplete fix for 55184)
    
    

This pattern highlights a systemic risk surface in RSC’s serialization design.

Why Availability Attacks Still Matter

Unlike React2Shell:

• Attackers don’t gain shell access
  
  
• No arbitrary code execution occurs
  

But:

• Servers can be taken offline remotely
  
  
• Attacks are unauthenticated
  
  
• Repeated exploitation can cause outages, degraded performance, or forced restarts
  

For many teams, downtime is just as damaging as compromise.

Who Is Affected?

You may be impacted if your application:

• Uses React Server Components
  
  
• Runs Next.js App Router
  
  
• Exposes Server Functions or RSC endpoints
  
  
• Has not fully upgraded after the December React/Next.js advisories
  

Even if you don’t explicitly use server logic, framework defaults can still expose the vulnerable code paths.

Severity

• CVE Score: High (Availability impact)
  
  
• Impact: Denial of service
  
  
• Attack Vector: Remote, unauthenticated
  
  
• Exploitability: Low complexity
  

Timeline

• Late November: React2Shell (CVE-2025-55182) disclosed
  
  
• Early December: Additional RSC weaknesses discovered
  
  
• December 3–5: CVE-2025-55184 disclosed and patched
  
  
• Following days: Incomplete fix identified → CVE-2025-67779 issued
  
  

Scan Your Codebase Now

Aikido tracks CVE-2025-55184, CVE-2025-67779, and the broader family of RSC-related vulnerabilities.

Connect your repositories to:

• Identify vulnerable React and Next.js versions
  
  
• Determine whether the risky RSC paths are actually reachable
  
  
• Validate that your upgrades fully eliminate exposure
  
  

Start scanning for free with Aikido.

‍