React / Next.js Denial-of-Service Vulnerability: Deno Deploy users protected

A high-severity Denial-of-Service (DoS) vulnerability (CVE-2025-55184) was disclosed in React Server Components and Next.js on December 11, 2025, allowing attackers to hang servers via a crafted HTTP request. Deno Deploy users are protected by a runtime-level mitigation automatically applied to all environments, but all other users must immediately upgrade to patched versions of Next.js or the relevant React server components. This vulnerability is separate from a previously disclosed critical RCE vulnerability, meaning users who upgraded for that issue are not protected against this new DoS threat.

React / Next.js Denial-of-Service Vulnerability: Deno Deploy users protected TL;DR: A high severity Denial-of-Service DoS vulnerability has been found in React Server Components and Next.js CVE-2025-55184 . Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users. This is part of coordinated vulnerability disclosure with the Meta Security Team, and the Next.js team at Vercel, regarding a high severity Denial-of-Service DoS vulnerability in React Server Components. Related: On December 3rd 2025, we disclosed a critical severity Remote Code Execution RCE vulnerability in React Server Functions and Next.js CVE-2025-55182 . If you have upgraded to the patched versions for that vulnerability, you are not protected against this new DoS vulnerability. You must upgrade again to the versions listed below. More info. On Wednesday, December 11th 2025, a high severity Denial-of-Service DoS vulnerability was disclosed in React Server Components and Next.js. This vulnerability exists in React Server Components. It allows an attacker to hang a server by sending a specifically crafted HTTP request that, when deserialized, causes an infinite loop. This hangs the server process and prevents it from serving future HTTP requests. The following implementations are known to be vulnerable: - All Next.js applications using App Router, on Next 13.3 or later, Next 14, Next 15, and Next 16. - Applications using React Router RSC - Applications built with Waku - Applications built with the Parcel RSC plugin - Applications built with the Vite RSC plugin - Applications built with RedwoodSDK On December 11th 2025, Deno implemented a runtime level mitigation for this vulnerability in Deno Deploy. Applications deployed to Deno Deploy are thus not vulnerable to this DoS exploit anymore. The mitigation has been applied to both the new Deno Deploy, Deno Deploy Classic, and Deno Deploy subhosting environments. All other users must immediately upgrade their applications to any of the following patched versions that contain fixes for this vulnerability: - Next.js 16: update next to 16.0.9 or later. - Next.js 15: update next to 15.5.8 or later and for older minors you can update to 15.4.9, 15.3.7, 15.2.7, 15.1.10, or 15.0.6 . - Next.js 14 and 13.3+: update next to 14.2.34 or later. - React Router, Parcel RSC, Vite RSC, Waku, and RedwoodSDK: update react-server-dom-webpack /react-server-dom-parcel /react-server-dom-turbopack to 19.2.2 or later and for older minors you can update to 19.1.3 or 19.0.2 . If you are using Deno as your package manager, you can upgrade Next.js by running: deno update next@latest To upgrade the library that implements React Server Components for React Router, Parcel RSC, Vite RSC, Waku, or RedwoodSDK, run: deno update react-server-dom-webpack@latest or deno update react-server-dom-parcel@latest or deno update react-server-dom-turbopack@latest For users of Deno Deploy: although a runtime level mitigation has already been applied to all Deno Deploy applications automatically, we still recommend upgrading to the patched versions of Next.js / React as soon as possible, to ensure that your applications remain secure in other deployment environments. Due to the nature of this vulnerability, we do not believe that a Web Application Firewall can effectively mitigate this issue without false positives. Because of this, we have mitigated the risk for Deno Deploy users using a runtime-level mitigation instead. Nonetheless, we recommend to all users to upgrade to a patched version of the affected libraries for a more comprehensive mitigation. We will share more details about the runtime-level mitigation in a future blog post. We thank the Meta Security Team and the Next.js team at Vercel for their collaboration in responsibly disclosing this vulnerability and coordinating the release of patches and mitigations. Additionally we thank RyotaK of GMO Flatt Security Inc who found and reported this vulnerability for their responsible disclosure. If you have any questions or need assistance, please reach out to us at deploy@deno.com.