Two new security vulnerabilities have been discovered in React Server Components affecting Next.js App Router applications. CVE-2025-55184 is a high-severity denial of service vulnerability that can hang server processes through crafted HTTP requests. CVE-2025-55183 is a medium-severity issue that can expose compiled source code of Server Functions, potentially revealing business logic and secrets. Neither vulnerability allows remote code execution. All users running Next.js versions 13.3 and above with App Router should immediately upgrade to patched versions (14.2.34, 15.0.6-15.5.8, or 16.0.9 depending on their release line). Pages Router applications are not affected but upgrades are still recommended.
Sort: