CVE-2025-67779

🔴 HIGH

Published

Dec 12, 2025

Last Modified

Dec 12, 2025

Views

Bookmarks

Description

Request Expert Review

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Affected Products (85)

facebook - react

Version: 19.0.2

facebook - react

Version: 19.1.3

facebook - react

Version: 19.2.2

vercel - next.js

Version: *

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 15.6.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

vercel - next.js

Version: 16.1.0

CVSS Scores

CVSS 3.1 7.5

7.5

HIGH

CVSS 2.0 7.5

References

react.dev www.facebook.com

Additional Information

Source: cve-assign@fb.com
State: Modified

Related CVEs

CVE-2026-0837

HIGH

A vulnerability was identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formFireWall. Such manipulation of...

Score: 8.8

CVE-2026-0836

HIGH

A vulnerability was determined in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formConfigFastDirectionW...

Score: 8.8

CVE-2025-15505

LOW

A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The...

Score: 2.4

CVE-2026-0824

LOW

A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results...

Score: 3.5

CVE-2026-0822

MEDIUM

A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The mani...

Score: 6.3

CVE-2025-13393

MEDIUM

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This...

Score: 4.3

Share CVE-2025-67779

Share on Social Media

Copy Link

Embed Code

HTML Embed (for websites/blogs)

Markdown (for GitHub/Discord)

Request Expert Analysis

Request a professional security analysis for CVE-2025-67779 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Priority Level

SLA Acceleration (50% faster delivery)

Add 3 credits for accelerated delivery

Additional Context (Optional)

Base Cost: 8 credits

Priority Upgrade: + credits

SLA Acceleration: +3 credits

Total Cost:

Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits