Thursday, December 11th 2025
Next.js Security Update: December 11, 2025
Posted by
Two additional vulnerabilities have been identified in the React Server Components (RSC) protocol. These issues were discovered while security researchers examined the patches for React2Shell. Importantly, neither of these new issues allow for Remote Code Execution. The patch for React2Shell remains fully effective.
These vulnerabilities originate in the upstream React implementation (CVE-2025-55183, CVE-2025-55184). This advisory tracks the downstream impact on Next.js applications using the App Router. For full details, see the React blog post.
Addendum: The initial fix for CVE-2025-55184 was incomplete. A complete fix has been issued under CVE-2025-67779. If you previously upgraded to one of the initially recommended versions, please upgrade again to the latest patched versions listed below.
Impact
Denial of Service: CVE-2025-55184 (High Severity)
A specifically crafted HTTP request can be sent to any App Router endpoint that, when deserialized, can cause an infinite loop that hangs the server process and prevents future HTTP requests from being served.
Note: The initial fix for this vulnerability was incomplete. A complete fix has been issued under CVE-2025-67779. Users who previously upgraded must upgrade again to the latest patched versions.
Source Code Exposure: CVE-2025-55183 (Medium Severity)
A specifically crafted HTTP request can cause a Server Function to return the compiled source code of other Server Functions in your application. This could reveal business logic. Secrets could also be exposed if they are defined directly in your code (rather than accessed via environment variables at runtime) and referenced within a Server Function. Depending on your bundler configuration, these values may be inlined into the compiled function output.
Affected and Fixed Next.js Versions
Applications using React Server Components with the App Router are affected. The table below shows which versions are affected by each vulnerability and the corresponding fix:
| Version | DoS (CVE-2025-55184) | Source Code Exposure (CVE-2025-55183) | Fixed In |
|---|---|---|---|
| >=13.3 | ✓ | — | Upgrade to 14.2.35 |
| 14.x | ✓ | — | 14.2.35 |
| 15.0.x | ✓ | ✓ | 15.0.7 |
| 15.1.x | ✓ | ✓ | 15.1.11 |
| 15.2.x | ✓ | ✓ | 15.2.8 |
| 15.3.x | ✓ | ✓ | 15.3.8 |
| 15.4.x | ✓ | ✓ | 15.4.10 |
| 15.5.x | ✓ | ✓ | 15.5.9 |
| 15.x canary | ✓ | ✓ | 15.6.0-canary.60 |
| 16.0.x | ✓ | ✓ | 16.0.10 |
| 16.x canary | ✓ | ✓ | 16.1.0-canary.19 |
Pages Router applications are not affected, but we still recommend upgrading to a patched version.
Required Action
All users should upgrade to the latest patched version in their release line:
If you are on Next.js >=13.3, 14.0.x, or 14.1.x, upgrade to the latest 14.2.x release.
npm install next@14.2.35 # for 14.x npm install next@15.0.7 # for 15.0.x npm install next@15.1.11 # for 15.1.x npm install next@15.2.8 # for 15.2.x npm install next@15.3.8 # for 15.3.x npm install next@15.4.10 # for 15.4.x npm install next@15.5.9 # for 15.5.x npm install next@16.0.10 # for 16.0.x npm install next@15.6.0-canary.60 # for 15.x canary releases npm install next@16.1.0-canary.19 # for 16.x canary releasesRun npx fix-react2shell-next to launch an interactive tool which can check versions and perform deterministic version bumps per the recommended versions above. See the GitHub repository for full details.
npx fix-react2shell-nextThere is no workaround. Upgrading to a patched version is required.
Resources
- CVE-2025-67779 (Complete DoS Fix): CVE, Next.js
- CVE-2025-55184 (DoS): React, Next.js
- CVE-2025-55183 (Source Code Exposure): React, Next.js
- React blog: Denial of Service and Source Code Exposure in React Server Components
- Previous Security Advisory: CVE-2025-66478
Discovery
Thank you to RyotaK from GMO Flatt Security Inc. and Andrew MacPherson for discovering and responsibly disclosing these vulnerabilities. We are intentionally limiting technical detail in this advisory to protect developers who have not yet upgraded.