Cyber Resilience

CVE-2025-67779

Published: 12 December 2025

Published
12 December 2025
Modified
12 December 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0165 82.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67779 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 17.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an incomplete remediation of CVE-2025-55184 that leaves React Server Components versions 19.0.2, 19.1.3, and 19.2.2 exposed to unsafe deserialization of untrusted payloads sent to Server Function endpoints. The flaw, tracked under CWE-502 and CWE-400, permits specially crafted HTTP requests to trigger an infinite loop inside the server process, resulting in denial of service with a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can send a malicious request directly to any exposed Server Function endpoint. Successful exploitation causes the affected Node.js process to hang indefinitely, blocking subsequent legitimate requests and potentially taking the entire application offline without requiring authentication or user interaction.

The referenced advisories at react.dev and the Meta security site recommend upgrading to patched React releases that restore proper input validation on Server Function payloads. Administrators are advised to apply the updates promptly and to review any custom Server Function implementations that accept serialized data from clients.

EPSS remains flat at 0.0165 with no observed increase after disclosure.

EU & UK References

Vulnerability details

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization…

more

of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

facebook
react
19.0.2, 19.1.3, 19.2.2
vercel
next.js
15.6.0, 16.1.0 · 13.3.0 — 14.2.35 · 15.0.0 — 15.0.7 · 15.1.0 — 15.1.11

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-400 CWE-502

Resource consumption and denial-of-service testing performed under the assessment plan detects uncontrolled allocation paths that are subsequently fixed.

addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

References