CVE-2025-67779: additional act vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

Published Dec 11, 2025
·
Updated

## Impact It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. We recommend updating immediately. The vulnerability exists in versions 19.0.2, 19.1.3, and 19.2.2 of: - [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) - [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) - [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) These issues are present in the patches published on December 11th, 2025. ## Patches Fixes were back ported to versions 19.0.3, 19.1.4, and 19.2.3. If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. ## References See the [blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more information and upgrade instructions.

Affected Software

102 affected componentsFixes available
Meta React Server Components=19.0.2, =19.1.3, =19.2.2
npm/react-server-dom-webpack>=19.2.2<19.2.3
19.2.3
npm/react-server-dom-webpack>=19.1.3<19.1.4
19.1.4
npm/react-server-dom-webpack>=19.0.2<19.0.3
19.0.3
npm/react-server-dom-turbopack>=19.2.2<19.2.3
19.2.3
npm/react-server-dom-turbopack>=19.1.3<19.1.4
19.1.4
npm/react-server-dom-turbopack>=19.0.2<19.0.3
19.0.3
npm/react-server-dom-parcel>=19.2.2<19.2.3
19.2.3
npm/react-server-dom-parcel>=19.1.3<19.1.4
19.1.4
npm/react-server-dom-parcel>=19.0.2<19.0.3
19.0.3
Facebook React=19.0.2
Facebook React=19.1.3
Facebook React=19.2.2
Vercel Next.js Node.js>=13.3.0<14.2.35
Vercel Next.js Node.js>=15.0.0<15.0.7
Vercel Next.js Node.js>=15.1.0<15.1.11
Vercel Next.js Node.js>=15.2.0<15.2.8
Vercel Next.js Node.js>=15.3.0<15.3.8
Vercel Next.js Node.js>=15.4.0<15.4.10
Vercel Next.js Node.js>=15.5.0<15.5.9
Vercel Next.js Node.js>=16.0.0<16.0.10
Vercel Next.js Node.js=15.6.0
Vercel Next.js Node.js=15.6.0-canary0
Vercel Next.js Node.js=15.6.0-canary1
Vercel Next.js Node.js=15.6.0-canary10
Vercel Next.js Node.js=15.6.0-canary11
Vercel Next.js Node.js=15.6.0-canary12
Vercel Next.js Node.js=15.6.0-canary13
Vercel Next.js Node.js=15.6.0-canary14
Vercel Next.js Node.js=15.6.0-canary15
Vercel Next.js Node.js=15.6.0-canary16
Vercel Next.js Node.js=15.6.0-canary17
Vercel Next.js Node.js=15.6.0-canary18
Vercel Next.js Node.js=15.6.0-canary19
Vercel Next.js Node.js=15.6.0-canary2
Vercel Next.js Node.js=15.6.0-canary20
Vercel Next.js Node.js=15.6.0-canary21
Vercel Next.js Node.js=15.6.0-canary22
Vercel Next.js Node.js=15.6.0-canary23
Vercel Next.js Node.js=15.6.0-canary24
Vercel Next.js Node.js=15.6.0-canary25
Vercel Next.js Node.js=15.6.0-canary26
Vercel Next.js Node.js=15.6.0-canary27
Vercel Next.js Node.js=15.6.0-canary28
Vercel Next.js Node.js=15.6.0-canary29
Vercel Next.js Node.js=15.6.0-canary3
Vercel Next.js Node.js=15.6.0-canary30
Vercel Next.js Node.js=15.6.0-canary31
Vercel Next.js Node.js=15.6.0-canary32
Vercel Next.js Node.js=15.6.0-canary33
Vercel Next.js Node.js=15.6.0-canary34
Vercel Next.js Node.js=15.6.0-canary35
Vercel Next.js Node.js=15.6.0-canary36
Vercel Next.js Node.js=15.6.0-canary37
Vercel Next.js Node.js=15.6.0-canary38
Vercel Next.js Node.js=15.6.0-canary39
Vercel Next.js Node.js=15.6.0-canary4
Vercel Next.js Node.js=15.6.0-canary40
Vercel Next.js Node.js=15.6.0-canary41
Vercel Next.js Node.js=15.6.0-canary42
Vercel Next.js Node.js=15.6.0-canary43
Vercel Next.js Node.js=15.6.0-canary44
Vercel Next.js Node.js=15.6.0-canary45
Vercel Next.js Node.js=15.6.0-canary46
Vercel Next.js Node.js=15.6.0-canary47
Vercel Next.js Node.js=15.6.0-canary48
Vercel Next.js Node.js=15.6.0-canary49
Vercel Next.js Node.js=15.6.0-canary5
Vercel Next.js Node.js=15.6.0-canary50
Vercel Next.js Node.js=15.6.0-canary51
Vercel Next.js Node.js=15.6.0-canary52
Vercel Next.js Node.js=15.6.0-canary53
Vercel Next.js Node.js=15.6.0-canary54
Vercel Next.js Node.js=15.6.0-canary55
Vercel Next.js Node.js=15.6.0-canary56
Vercel Next.js Node.js=15.6.0-canary57
Vercel Next.js Node.js=15.6.0-canary58
Vercel Next.js Node.js=15.6.0-canary59
Vercel Next.js Node.js=15.6.0-canary6
Vercel Next.js Node.js=15.6.0-canary7
Vercel Next.js Node.js=15.6.0-canary8
Vercel Next.js Node.js=15.6.0-canary9
Vercel Next.js Node.js=16.1.0
Vercel Next.js Node.js=16.1.0-canary0
Vercel Next.js Node.js=16.1.0-canary1
Vercel Next.js Node.js=16.1.0-canary10
Vercel Next.js Node.js=16.1.0-canary11
Vercel Next.js Node.js=16.1.0-canary12
Vercel Next.js Node.js=16.1.0-canary13
Vercel Next.js Node.js=16.1.0-canary14
Vercel Next.js Node.js=16.1.0-canary15
Vercel Next.js Node.js=16.1.0-canary16
Vercel Next.js Node.js=16.1.0-canary17
Vercel Next.js Node.js=16.1.0-canary18
Vercel Next.js Node.js=16.1.0-canary2
Vercel Next.js Node.js=16.1.0-canary3
Vercel Next.js Node.js=16.1.0-canary4
Vercel Next.js Node.js=16.1.0-canary5
Vercel Next.js Node.js=16.1.0-canary6
Vercel Next.js Node.js=16.1.0-canary7
Vercel Next.js Node.js=16.1.0-canary8
Vercel Next.js Node.js=16.1.0-canary9

Event History

Dec 11, 2025
CVE Published
via MITRE·11:36 PM
Data Sourced
via MITRE·11:36 PM
DescriptionSeverityWeakness
Dec 12, 2025
Data Sourced
via NVD·12:15 AM
DescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·04:32 PM
Data Sourced
via GitHub·04:32 PM
DescriptionSeverityWeaknessAffected Software
News Published
via The Register·06:23 PM
News Published
via The Register·06:27 PM
Dec 15, 2025
News Published
via The Register·05:53 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-67779?

CVE-2025-67779 has been classified as a high severity vulnerability due to its potential to cause denial of service attacks.

2

How do I fix CVE-2025-67779?

To fix CVE-2025-67779, upgrade to the latest version of React Server Components that addresses the vulnerability.

3

What versions of React Server Components are affected by CVE-2025-67779?

CVE-2025-67779 affects React Server Components versions 19.0.2, 19.1.3, and 19.2.2.

4

What type of attack does CVE-2025-67779 allow?

CVE-2025-67779 allows for a denial of service attack due to unsafe deserialization of payloads.

5

Who is the vendor responsible for CVE-2025-67779?

The vendor responsible for CVE-2025-67779 is Meta, which maintains React Server Components.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203