GHSA-mwv6-3258-q52c

Suggest an improvement
Source
https://github.com/advisories/GHSA-mwv6-3258-q52c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mwv6-3258-q52c
Published
2025-12-11T22:49:27Z
Modified
2025-12-11T23:01:08.335420Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Next Vulnerable to Denial of Service with Server Components
Details

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

Database specific 
{
    "cwe_ids": [
        "CWE-1395",
        "CWE-400",
        "CWE-502"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2025-12-11T22:49:27Z",
    "severity": "HIGH"
}
References

Affected packages

npm

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
13.3.0
Fixed
14.2.34

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.0.0-canary.0
Fixed
15.0.6

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.1.1-canary.0
Fixed
15.1.10

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.2.0-canary.0
Fixed
15.2.7

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.3.0-canary.0
Fixed
15.3.7

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.4.0-canary.0
Fixed
15.4.9

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.5.1-canary.0
Fixed
15.5.8

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
15.6.0-canary.0
Fixed
15.6.0-canary.59

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
16.0.0-beta.0
Fixed
16.0.9

next

Package

Name
next
View open source insights on deps.dev
Purl
pkg:npm/next

Affected ranges

Type
SEMVER
Events
Introduced
16.1.0-canary.0
Fixed
16.1.0-canary.17