Skip to Content
UpdatesSecurityCVE-2025-55184 & 55183: DoS & Source Exposure

CVE-2025-55184 & CVE-2025-55183: Next.js Vulnerabilities

CVE-2025-55184: CVSS 7.5 (High) — Denial of Service vulnerability CVE-2025-55183: CVSS 5.3 (Medium) — Source Code Exposure vulnerability

Published: December 12, 2024 Affected: Next.js 13.x, 14.x, 15.x, 16.x Fixed in: 15.5.9, 15.4.10, 15.3.8, 15.2.8, 15.1.11, 15.0.7, 16.0.10, 14.2.35

Summary

Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities:

  • CVE-2025-55184 (High): Denial of Service - malicious HTTP requests can cause the server process to hang and consume CPU
  • CVE-2025-55183 (Medium): Source Code Exposure - malicious HTTP requests can return compiled source code of Server Actions

Important: Neither of these vulnerabilities allow for Remote Code Execution.

Impact

CVE-2025-55184: Denial of Service

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU resources, potentially making the application unavailable.

CVE-2025-55183: Source Code Exposure

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into the Server Action’s code.

Affected Versions

StatusVersionsFixed In
AffectedNext.js 15.5.x15.5.9
AffectedNext.js 15.4.x15.4.10
AffectedNext.js 15.3.x15.3.8
AffectedNext.js 15.2.x15.2.8
AffectedNext.js 15.1.x15.1.11
AffectedNext.js 15.0.x15.0.7
AffectedNext.js 16.0.x16.0.10
AffectedNext.js 14.x14.2.35
AffectedNext.js 13.3+14.2.35
Not AffectedPages RouterN/A

Next.js Pages Router applications are not affected by these vulnerabilities.

Required Action

Check your Next.js version

npm list next # or pnpm list next # or check in browser console next.version

Update to the patched version

# For 15.5.x (recommended) npm install [email protected] # For other versions npm install [email protected] # for 15.4.x npm install [email protected] # for 15.3.x npm install [email protected] # for 15.2.x npm install [email protected] # for 15.1.x npm install [email protected] # for 15.0.x npm install [email protected] # for 16.0.x npm install [email protected] # for 14.x and 13.3+

Update lockfile and rebuild

# Update lockfile npm install # or pnpm install # Rebuild npm run build # Deploy immediately # Deploy to your hosting provider

Immediate deployment required — These vulnerabilities affect all App Router endpoints. Deploy the patched version as soon as possible.

DjangoCFG Packages Status

All @djangocfg/* packages have been updated to require Next.js 15.5.9+:

PackagePreviousUpdated
@djangocfg/nextjs15.5.715.5.9
@djangocfg/ui-nextjs15.5.715.5.9
@djangocfg/layouts>=15.0.0Compatible
All apps15.5.715.5.9

Update your packages:

pnpm update @djangocfg/nextjs @djangocfg/ui-nextjs

Vercel WAF Protection

Vercel has deployed new WAF rules to automatically protect all projects hosted on Vercel at no cost. However, WAF rules cannot guarantee protection against all possible variants — immediate upgrades are still required.

Additional Security Measures

Enable Deployment Protection

Turn on Standard Protection  for all deployments besides your production domain to prevent exploitation of older deployments.

Review any shareable preview deployment links to ensure they are not publicly accessible without protection.

Rotate Secrets (Optional)

Only recommended if secrets were hardcoded in Server Actions. Use environment variables instead:

# Good - uses env var const API_KEY = process.env.API_KEY; // Bad - hardcoded (would be exposed by CVE-2025-55183) const API_KEY = "sk-...";

References

Timeline

DateEvent
Dec 12, 2024Vulnerabilities disclosed
Dec 12, 2024Patched versions released
Dec 12, 2024Vercel WAF rules deployed
Dec 13, 2024DjangoCFG packages updated

These vulnerabilities were discovered through increased community research following the React2Shell disclosure. We are grateful to the security community for helping strengthen the ecosystem.

Last updated on