A DoS vulnerability in Next.js and React Server Components brought down entire servers with just a single crafted request without a login. Here the full attack technique impact and step-by-step fix guide every developer needs.
Next.js React Server Components DoS Vulnerability Explained
A website that was working fine till morning, suddenly stops responding in the afternoon. No error message, no warning just silence. Server is alive and code is deployed but no request is being processed. No one thought that in December 2025 this same thing was at risk of happening with thousands of applications using Next.js and React Server Components due to a vulnerability that could trap the entire server in an infinite loop with just a specific type of HTTP request.
To understand this and it’s important to first understand what the React Server components actually do. When you create a page in React that gets rendered on the server, a special protocol operates between the client and the server. The React team calls this protocol Flight.
When a client requests something the Flight protocol forwards the request to the server and the server decodes the data and calls the appropriate functions and returns the response to the client. Its a strong system, but in December we discovered that one part of this decoding process doesn’t even validate the structure or size of the incoming request.
How This Vulnerability Was Exploited
An attacker didn’t have to create an account, bypass authentication or use complex tools. All it took was a specifically crafted HTTP request. When this malicious request reached Reacts Flight protocol serial data into parallel data and it would get caught in an endless loop.
The servers CPU would run at 100 percent processing this loop and the memory would run out, and the servers entire capacity would be devoted to that one request. For all other users, the website would be completely dead. No pages would load, no API responses would be received. The server would be technically alive but practically in a coma.
What made this vulnerability even more dangerous was that it didn’t matter whether the app implemented the Server Function or not. If your application supported React Server Components simply using the App Router was enough to target it. The attacker wouldn’t even need to know whether a specific function existed on your server or not. This request could be sent to any App Router endpoint.
December 11 When It All Started
When a CVSS 10.0 remote code execution vulnerability in React2Shell was publicly disclosed on December 3, 2025 researchers began to intensively examine the patch. On December 4 RyotaK from GMO Flatt Security Inc. reported this DoS vulnerability through Meta Bug Bounty program. The team investigated, created a fix and on December 11 CVE-2025-55184 was publicly disclosed and patches were released to npm.
Developers updated and thought it was over. But on December 11th the same night, Shinsaku Nomura reported another DoS case that was missed in the first patch. The team also released CVE-2025-67779 on the same day, meaning a specific attack vector was missed in the first patch. Those who had updated in the first wave of December 11th had to update again. Versions 19.0.3, 19.1.4 and 19.2.3 which were previously considered fixed and also turned out to be insufficient.
It sounds frustrating, but its not actually a bad sign. This pattern is very common in the world of software security. Just like in 2021, after Log4Shell and one of the biggest vulnerabilities in Java history there were many follow-up CVEs as researchers tested patches from every angle. When a serious vulnerability is discovered, researchers take a microscope and look at the entire code area, and often find other things.
January 2026 The Threat Was Not Over
On January 26, 2026 it was proven wrong to think that everything was fine now. Researchers including Mufeed VH from Winfunc Research, Joachim Viide, RyotaK again from GMO Flatt Security, and Xiangwei Zhang from Tencent Security YUNDING LAB discovered more DoS attack vectors that had evaded all previous patches.
CVE-2026-23864 was disclosed and this time it wasn’t just infinite loops and the server crashes out-of-memory exceptions, and excessive CPU usage could be triggered in three different ways, and the apps configuration and code also played a role in which path was triggered. Versions 19.0.4, 19.1.5, and 19.2.4 have all been comprehensively patched.
Who Was Impacted by the Vulnerability
This was not just the case with Next.js the Flight protocol of React Server Components is used in many places. Apart from Next.js, react-router, waku, Parcel’s RSC plugin, Vites RSC plugin, and RedwoodSDK were all affected. There was a difference within Next.js as well and the applications using App Router were targeted but the applications using the Pages Router were completely safe. Because Pages Router does not use the Flight protocol of React Server Components.
React Native users faced a different situation. If you weren’t using React Native in a monorepo, you were safe because your React version was pinned in package.json. However, monorepo users were required to update only the affected packages updating react and react dom was not required or recommended otherwise a version mismatch error would occur in React Native.
Additional Security Concern Source Code Exposure
Along with the DoS CVE-2025-55183 was also disclosed, which was of medium severity. Its function was different; it did not crash the server, but instead, if a specific request was sent the server would send back the source code of the compiled server function in response.
If you had any of your secret keys written directly in the code database password, API key then it could potentially be exposed. Yes secrets containing environment variables were safe but the risk of hardcoded values was real. This was also a technical reminder that no secret should be written directly in production code.
Complete Fix What You Need to Do
If you use Next.js App Router the first thing to do is check your version. Go to the browser console and type next.version or open your package.json. If you are on Next.js 15.x, run npm install next@latest or specifically install the latest patch for your minor version. Next.js has released patches for all active release lines since 14.2.35 and every minor line in 15.x has its own patched version. If you are using 14 canary versions and especially those after 14.3.0-canary.77 you should roll back to stable 14.x.
React packages react-server-dom-webpack and react-server-dom-parcel or react-server-dom-turbopack must be on versions 19.0.4, 19.1.5 or 19.2.4. The React team has also released a helpful command npx fix-react2shell-next. This interactive tool will check your current version and suggest a necessary upgrade. After updating, be sure to commit the lockfile with the changes to package.json.
If you host on Vercel they have deployed WAF rules which provide temporary protection but Vercel itself says that relying on WAF alone is not enough and updating the code is compulsory. Netlify said that due to their serverless architecture and one malicious request does not directly affect other requests, but it can definitely increase your service costs as the server keeps using resources in a use loop.
Conclusion
The most important insight in this entire story isn’t just technical. This vulnerability once again proves that the modern web development stack is highly interconnected. You update Next.js but React packages are separate. You update React but have to wait for framework patches. A vulnerability in one place triggers another. Therefore, its important to monitor not only your direct dependencies but also their dependencies, known as transitive dependencies.
And the simplest but most ignored of all the use environment variables. The source code exposure shown by CVE-2025-55183 was only dangerous if the developer wrote the secret directly into the code. Using a process.env.SECRET_KEY would have made that exposure meaningless. Even a small human error combined with a major vulnerability makes that attack much more powerful.
React Server Components is a powerful technology and part of the future, but with power comes responsibility. This period from December 2025 to January 2026 is a reminder that no tool in the open source ecosystem is permanently secure, and the most secure code is the code you actively maintain.
