CVE-2025-55184 & CVE-2025-55183: Next.js Vulnerabilities
CVE-2025-55184: CVSS 7.5 (High) — Denial of Service vulnerability CVE-2025-55183: CVSS 5.3 (Medium) — Source Code Exposure vulnerability
Published: December 12, 2024 Affected: Next.js 13.x, 14.x, 15.x, 16.x Fixed in: 15.5.9, 15.4.10, 15.3.8, 15.2.8, 15.1.11, 15.0.7, 16.0.10, 14.2.35
Summary
Following the React2Shell disclosure, increased community research into React Server Components surfaced two additional vulnerabilities:
- CVE-2025-55184 (High): Denial of Service - malicious HTTP requests can cause the server process to hang and consume CPU
- CVE-2025-55183 (Medium): Source Code Exposure - malicious HTTP requests can return compiled source code of Server Actions
Important: Neither of these vulnerabilities allow for Remote Code Execution.
Impact
CVE-2025-55184: Denial of Service
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU resources, potentially making the application unavailable.
CVE-2025-55183: Source Code Exposure
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into the Server Action’s code.
Affected Versions
| Status | Versions | Fixed In |
|---|---|---|
| Affected | Next.js 15.5.x | 15.5.9 |
| Affected | Next.js 15.4.x | 15.4.10 |
| Affected | Next.js 15.3.x | 15.3.8 |
| Affected | Next.js 15.2.x | 15.2.8 |
| Affected | Next.js 15.1.x | 15.1.11 |
| Affected | Next.js 15.0.x | 15.0.7 |
| Affected | Next.js 16.0.x | 16.0.10 |
| Affected | Next.js 14.x | 14.2.35 |
| Affected | Next.js 13.3+ | 14.2.35 |
| Not Affected | Pages Router | N/A |
Next.js Pages Router applications are not affected by these vulnerabilities.
Required Action
Check your Next.js version
npm list next
# or
pnpm list next
# or check in browser console
next.versionUpdate to the patched version
# For 15.5.x (recommended)
npm install [email protected]
# For other versions
npm install [email protected] # for 15.4.x
npm install [email protected] # for 15.3.x
npm install [email protected] # for 15.2.x
npm install [email protected] # for 15.1.x
npm install [email protected] # for 15.0.x
npm install [email protected] # for 16.0.x
npm install [email protected] # for 14.x and 13.3+Update lockfile and rebuild
# Update lockfile
npm install # or pnpm install
# Rebuild
npm run build
# Deploy immediately
# Deploy to your hosting providerImmediate deployment required — These vulnerabilities affect all App Router endpoints. Deploy the patched version as soon as possible.
DjangoCFG Packages Status
All @djangocfg/* packages have been updated to require Next.js 15.5.9+:
| Package | Previous | Updated |
|---|---|---|
@djangocfg/nextjs | 15.5.7 | 15.5.9 |
@djangocfg/ui-nextjs | 15.5.7 | 15.5.9 |
@djangocfg/layouts | >=15.0.0 | Compatible |
| All apps | 15.5.7 | 15.5.9 |
Update your packages:
pnpm update @djangocfg/nextjs @djangocfg/ui-nextjsVercel WAF Protection
Vercel has deployed new WAF rules to automatically protect all projects hosted on Vercel at no cost. However, WAF rules cannot guarantee protection against all possible variants — immediate upgrades are still required.
Additional Security Measures
Enable Deployment Protection
Turn on Standard Protection for all deployments besides your production domain to prevent exploitation of older deployments.
Audit Shareable Links
Review any shareable preview deployment links to ensure they are not publicly accessible without protection.
Rotate Secrets (Optional)
Only recommended if secrets were hardcoded in Server Actions. Use environment variables instead:
# Good - uses env var
const API_KEY = process.env.API_KEY;
// Bad - hardcoded (would be exposed by CVE-2025-55183)
const API_KEY = "sk-...";References
Timeline
| Date | Event |
|---|---|
| Dec 12, 2024 | Vulnerabilities disclosed |
| Dec 12, 2024 | Patched versions released |
| Dec 12, 2024 | Vercel WAF rules deployed |
| Dec 13, 2024 | DjangoCFG packages updated |
These vulnerabilities were discovered through increased community research following the React2Shell disclosure. We are grateful to the security community for helping strengthen the ecosystem.