Thursday, December 11th 2025
Next.js Security Update: December 11, 2025
Posted by
Note: Some patched versions are still being released to npm. If a version listed below is not yet available, please check back shortly.
Two additional vulnerabilities have been identified in the React Server Components (RSC) protocol. These issues were discovered while security researchers examined the patches for React2Shell. Importantly, neither of these new issues allow for Remote Code Execution. The patch for React2Shell remains fully effective.
These vulnerabilities originate in the upstream React implementation (CVE-2025-55183, CVE-2025-55184). This advisory tracks the downstream impact on Next.js applications using the App Router. For full details, see the React blog post.
Impact
Denial of Service: CVE-2025-55184 (High Severity)
A specifically crafted HTTP request can be sent to any App Router endpoint that, when deserialized, can cause an infinite loop that hangs the server process and prevents future HTTP requests from being served.
Source Code Exposure: CVE-2025-55183 (Medium Severity)
A specifically crafted HTTP request can cause a Server Function to return the compiled source code of other Server Functions in your application. This could reveal business logic. Secrets could also be exposed if they are defined directly in your code (rather than accessed via environment variables at runtime) and referenced within a Server Function. Depending on your bundler configuration, these values may be inlined into the compiled function output.
Affected and Fixed Next.js Versions
Applications using React Server Components with the App Router are affected. The table below shows which versions are affected by each vulnerability and the corresponding fix:
| Version | DoS (CVE-2025-55184) | Source Code Exposure (CVE-2025-55183) | Fixed In |
|---|---|---|---|
| >=13.3 | ✓ | — | Upgrade to 14.2.34 |
| 14.x | ✓ | — | 14.2.34 |
| 15.0.x | ✓ | ✓ | 15.0.6 |
| 15.1.x | ✓ | ✓ | 15.1.10 |
| 15.2.x | ✓ | ✓ | 15.2.7 |
| 15.3.x | ✓ | ✓ | 15.3.7 |
| 15.4.x | ✓ | ✓ | 15.4.9 |
| 15.5.x | ✓ | ✓ | 15.5.8 |
| 15.x canary | ✓ | ✓ | 15.6.0-canary.59 |
| 16.0.x | ✓ | ✓ | 16.0.9 |
| 16.x canary | ✓ | ✓ | 16.1.0-canary.17 |
Pages Router applications are not affected, but we still recommend upgrading to a patched version.
Required Action
All users should upgrade to the latest patched version in their release line:
If you are on Next.js >=13.3, 14.0.x, or 14.1.x, upgrade to the latest 14.2.x release.
npm install next@14.2.34 # for 14.x
npm install next@15.0.6 # for 15.0.x
npm install next@15.1.10 # for 15.1.x
npm install next@15.2.7 # for 15.2.x
npm install next@15.3.7 # for 15.3.x
npm install next@15.4.9 # for 15.4.x
npm install next@15.5.8 # for 15.5.x
npm install next@16.0.9 # for 16.0.x
npm install next@15.6.0-canary.59 # for 15.x canary releases
npm install next@16.1.0-canary.17 # for 16.x canary releasesThere is no workaround. Upgrading to a patched version is required.
Resources
- CVE-2025-55184 (DoS): React, Next.js
- CVE-2025-55183 (Source Code Exposure): React, Next.js
- React blog: Denial of Service and Source Code Exposure in React Server Components
- Previous Security Advisory: CVE-2025-66478
Discovery
Thank you to RyotaK from GMO Flatt Security Inc. and Andrew MacPherson for discovering and responsibly disclosing these vulnerabilities. We are intentionally limiting technical detail in this advisory to protect developers who have not yet upgraded.