CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.

Aikido Security

CVE-2025-55184 is a denial-of-service vulnerability in React Server Components stemming from unsafe handling of the React Flight protocol deserialization layer. An attacker can send a malformed RSC request to trigger an infinite loop or hung server state, taking the app offline without needing code execution. The flaw is related to the earlier React2Shell RCE (CVE-2025-55182) and was discovered during follow-up audits. An incomplete initial patch led to a second CVE (CVE-2025-67779), meaning teams that patched early may still be exposed. Apps using Next.js App Router or any RSC-enabled framework are most at risk. Remediation requires upgrading to the latest patched React and Next.js releases and re-scanning to confirm both CVEs are fully addressed.

React & Next.js DoS Vulnerability (CVE-2025-55184) Explained