Next.js Security Update: Denial of Service and Source Code Exposure in App Router
Critical Next.js security update addressing high-severity Denial of Service (CVE-2025-67779) and medium-severity Source Code Exposure (CVE-2025-55183) vulnerabilities in applications using the App Router. Immediate upgrade is required.
This advisory details two newly identified vulnerabilities within the React Server Components (RSC) protocol, which were discovered during a security review of patches for React2Shell. These issues primarily impact Next.js applications utilizing the App Router. It is important to note that neither of these vulnerabilities allows for Remote Code Execution, and the original React2Shell patch remains effective.
These vulnerabilities stem from the upstream React implementation (CVE-2025-55183, CVE-2025-55184). This advisory focuses on their downstream impact on Next.js. For a comprehensive overview, please refer to the React blog post.
Addendum: An initial fix for CVE-2025-55184 was found to be incomplete. A complete resolution has since been issued under CVE-2025-67779. Users who previously upgraded based on the initial recommendations must upgrade again to the latest patched versions listed below to ensure full protection.
Impact
Denial of Service (DoS): CVE-2025-55184 (High Severity) / CVE-2025-67779 (Complete Fix) A specially crafted HTTP request targeting any App Router endpoint can, upon deserialization, trigger an infinite loop. This action will cause the server process to hang, preventing it from serving subsequent HTTP requests. Note: The initial fix for this vulnerability was incomplete. The complete fix is tracked under CVE-2025-67779. All users who previously applied an upgrade for this issue must re-upgrade to the latest patched versions.
Source Code Exposure: CVE-2025-55183 (Medium Severity) A maliciously crafted HTTP request can compel a Server Function to return the compiled source code of other Server Functions within your application. This could potentially expose proprietary business logic. Additionally, if sensitive information (secrets) is directly defined within your code (rather than accessed securely via environment variables at runtime) and referenced within a Server Function, these values might be inlined into the compiled function output and subsequently exposed. The extent of exposure may vary depending on your bundler configuration.
Affected and Fixed Next.js Versions
Applications that use React Server Components with the App Router are susceptible to these vulnerabilities. The table below outlines the versions affected by each vulnerability and the corresponding version containing the fix. While Pages Router applications are not directly affected, upgrading to a patched version is still recommended as a best practice.
| Version | DoS (CVE-2025-55184) | Source Code Exposure (CVE-2025-55183) | Fixed In |
|---|---|---|---|
>=13.3 | ✓ | — | Upgrade to 14.2.35 |
14.x | ✓ | — | 14.2.35 |
15.0.x | ✓ | ✓ | 15.0.7 |
15.1.x | ✓ | ✓ | 15.1.11 |
15.2.x | ✓ | ✓ | 15.2.8 |
15.3.x | ✓ | ✓ | 15.3.8 |
15.4.x | ✓ | ✓ | 15.4.10 |
15.5.x | ✓ | ✓ | 15.5.9 |
15.x canary | ✓ | ✓ | 15.6.0-canary.60 |
16.0.x | ✓ | ✓ | 16.0.10 |
16.x canary | ✓ | ✓ | 16.1.0-canary.19 |
Required Action
All users are advised to upgrade to the latest patched version within their current release line immediately. There are no known workarounds for these vulnerabilities; an upgrade is mandatory.
- If you are on Next.js
>=13.3,14.0.x, or14.1.x, please upgrade to the latest14.2.xrelease. - For other versions, use the specific commands below:
npm install next@14.2.35 # for 14.x
npm install next@15.0.7 # for 15.0.x
npm install next@15.1.11 # for 15.1.x
npm install next@15.2.8 # for 15.2.x
npm install next@15.3.8 # for 15.3.x
npm install next@15.4.10 # for 15.4.x
npm install next@15.5.9 # for 15.5.x
npm install next@16.0.10 # for 16.0.x
npm install next@15.6.0-canary.60 # for 15.x canary releases
npm install next@16.1.0-canary.19 # for 16.x canary releases
You can also use npx fix-react2shell-next, an interactive tool designed to check your current versions and perform deterministic version bumps according to the recommended patches. More details can be found in its GitHub repository.
npx fix-react2shell-next
Resources
- CVE-2025-67779 (Complete DoS Fix): CVE Link, Next.js Link
- CVE-2025-55184 (DoS): React Link, Next.js Link
- CVE-2025-55183 (Source Code Exposure): React Link, Next.js Link
- React Blog Post: Denial of Service and Source Code Exposure in React Server Components
- Previous Security Advisory: CVE-2025-66478
Discovery
We extend our gratitude to RyotaK from GMO Flatt Security Inc. and Andrew MacPherson for their diligent discovery and responsible disclosure of these vulnerabilities. To protect developers who have not yet upgraded, technical details in this advisory are intentionally limited.