CVE-2025-55184 is a denial-of-service vulnerability in React Server Components stemming from unsafe handling of the React Flight protocol deserialization layer. An attacker can send a malformed RSC request to trigger an infinite loop or hung server state, taking the app offline without needing code execution. The flaw is related to the earlier React2Shell RCE (CVE-2025-55182) and was discovered during follow-up audits. An incomplete initial patch led to a second CVE (CVE-2025-67779), meaning teams that patched early may still be exposed. Apps using Next.js App Router or any RSC-enabled framework are most at risk. Remediation requires upgrading to the latest patched React and Next.js releases and re-scanning to confirm both CVEs are fully addressed.
Table of contents
Key TakeawaysTL;DR: Are You Still at Risk?Remediation StepsBackgroundDeep DiveWho Is Affected?SeverityTimelineScan Your Codebase NowSort: