Two additional vulnerabilities have been identified in React Server Components. Users should upgrade to patched versions immediately.

The Next.js Blog provides insights, updates, and tutorials on Next.js, a popular React framework for building server-side rendered (SSR) and static websites. Developers can learn about Next.js features, routing mechanisms, and data fetching strategies, as well as explore real-world examples and use cases of Next.js applications.

Next.js

Two new security vulnerabilities have been discovered in React Server Components affecting Next.js App Router applications. CVE-2025-55184 is a high-severity denial of service vulnerability that can hang server processes through crafted HTTP requests. CVE-2025-55183 is a medium-severity issue that can expose compiled source code of Server Functions, potentially revealing business logic and secrets. Neither vulnerability allows remote code execution. All users running Next.js versions 13.3 and above with App Router should immediately upgrade to patched versions (14.2.34, 15.0.6-15.5.8, or 16.0.9 depending on their release line). Pages Router applications are not affected but upgrades are still recommended.

Next.js Security Update: December 11, 2025