AIKIDO-2025-10936

next is vulnerable to Denial of Service

Denial of ServiceCVE-2025-55184 Published Dec 12, 2025

High Risk

This Affects:

13.3.0 - 14.2.34

Fixed in 14.2.35

15.0.0 - 15.0.6

Fixed in 15.0.7

15.1.1 - 15.1.10

Fixed in 15.1.11

15.2.0 - 15.2.7

Fixed in 15.2.8

15.3.0 - 15.3.7

Fixed in 15.3.8

15.4.0 - 15.4.9

Fixed in 15.4.10

15.5.1 - 15.5.8

Fixed in 15.5.9

16.0.0 - 16.0.9

Fixed in 16.0.10

Are you affected? Scan for Free

TL;DR

Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

Who does this affect?

If your application uses React Server Components with the App Router.

Background info

next is vulnerable to Denial of Service in versions 13.3.0 - 14.2.34, 15.0.0 - 15.0.6, 15.1.1 - 15.1.10, 15.2.0 - 15.2.7, 15.3.0 - 15.3.7, 15.4.0 - 15.4.9, 15.5.1 - 15.5.8 and 16.0.0 - 16.0.9.