Nextjs, Denial of Service with Server Components, CVE-2025-67779 (High)

By /

Listen to this Post

This vulnerability is an incomplete fix for CVE-2025-55184 in the React Server Components (RSC) protocol. A malicious actor can craft a specific HTTP request payload targeting a Server Function endpoint (e.g., a Server Action). When the Next.js server, using the App Router, receives and attempts to deserialize this malicious payload, it triggers an infinite recursion or loop within the React Server Components deserialization runtime (react-server-dom-webpack). This infinite loop causes the Node.js process to hang indefinitely, consuming 100% of a CPU core and making it unresponsive to other requests. The attack exploits a flaw in how certain serialized object types are processed, bypassing the earlier mitigation. No application code is executed; the denial-of-service occurs at the RSC framework layer during the parsing of the incoming request, before user logic runs.
Platform: Next.js
Version: 13.3.1-canary.0 through 14.2.34, 15.0.6-15.0.6, 15.1.10-15.1.10, 15.2.7-15.2.7, 15.3.7-15.3.7, 15.4.9-15.4.9, 15.5.8-15.5.8, 16.0.9-16.0.9, specific canaries.
Vulnerability : Incomplete DoS Fix
Severity: High
date: Dec 12 2025

Prediction: Patched Dec 2025

What Undercode Say:

npm list next react react-dom
Check for vulnerable versions:
next@>=13.3.1-canary.0 <14.2.35
next@>=15.0.6 <15.0.7
[email protected] || 19.1.3 || 19.2.2
curl -X POST http://target/api/action \
-H "Content-Type: text/plain;charset=UTF-8" \
--data-binary "@malicious_payload.bin"
Server process enters infinite loop, CPU spikes to 100%.

How Exploit:

Craft malicious serialized RSC payload. Send HTTP POST request. Target Server Action endpoint. Exploit incomplete deserialization logic. Trigger infinite processing loop. Cause CPU exhaustion.

Protection from this CVE

Update Next.js immediately. Apply patched versions. Upgrade React packages. Use latest canary builds.

Impact:

Server CPU exhaustion. Complete service denial. Application unavailability. Requires process restart.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top