Action required: React/Next.js CVE-2025-55184 and CVE-2025-55183

Update (2025-12-12 00:41 UTC): The React and Next.js patches initially published on Dec. 11 at 21:10 incompletely addressed the vulnerabilities. A follow-up CVE was issued and follow-up patches have been released by the React and Next.js teams. All versions below have been updated accordingly. If you upgraded during this 3.5-hour window, please upgrade again.

---

Following last week’s critical vulnerability in React and Next.js, two additional vulnerabilities are being publicly disclosed today:

• CVE-2025-55184: Denial of Service (CVSS 7.5/10, high severity)
  • A malicious actor can send a request that makes the Next.js server hang.
  • On Netlify, this type of request gets interrupted by a timeout after 30–40 seconds. As Next.js on Netlify runs on automatically scaled serverless functions, there is no risk of impact to legitimate requests. However, this can have impacts to your monthly bill due to increased bandwidth and function CPU usage.
• CVE-2025-55183: Leaking Server Functions (CVSS 5.3/10, medium severity)
  • A malicious actor can send a request that leaks the compiled body of a given Server Function/Action.

Impact

In both cases, all Next.js sites using App Router are vulnerable. This includes all v14 releases up to and including 14.2.33, all v15 releases up to and including 15.5.7, all v16 releases up to and including 16.0.8, and v13.4+ if opted into the experimental.serverActions flag. (In the case of CVE-2025-55183, only sites actually using any Server Actions are vulnerable.)

We have collaborated with the React and Next.js teams to roll out mitigations to the Netlify network in advance of public disclosure.

However, as we’ve seen in the past week, malicious actors around the world are constantly working to quickly identify novel ways to exploit newly published vulnerabilities. The best protection is to upgrade.

What should I do?

Upgrade as soon as possible. Both vulnerabilities are patched in all these releases:

• Next.js 14.2.35
• Next.js 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, or 15.5.9
• Next.js 16.0.10

As Next.js 13 has been unsupported for over a year, the Next.js team has chosen not to patch it. If your site uses Next.js 13.4+ and has opted in to the experimental.serverActions flag, we strongly recommend upgrading to 14.2.34 or later as soon as possible (note: v14 is also technically unsupported).

To be abundantly clear: if you have upgraded to address last week’s CVE, you must upgrade once again.

Other RSC frameworks

These are React vulnerabilities, in the React Server Functions protocol present in all versions of React 19 up to and including 19.2.1.

The following RSC implementations are therefore vulnerable: waku, @parcel/rsc, @vitejs/plugin-rsc, react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack, and the React Router 7 RSC preview.

If you are using any of these, upgrade it to the latest version and upgrade react to 19.0.3, 19.1.4, or 19.2.3 as soon as possible.

Resources

• React disclosures
• Next.js disclosures

---

We are working continually with the React and Next.js teams and are committed to keeping your sites secure on Netlify.

This post was last updated on 2025-12-11 at 21:15 UTC