security next-js react-server-components dos-vulnerability cve-2025-55184

React Server Components DoS vulnerability requires immediate upgrades

Crafted HTTP requests trigger infinite loops in RSC deserialization, hanging server processes—upgrade Next.js or react-server-dom packages now.

June 11, 2026

Summary

Any Next.js 13.3+ or RSC-based app (Router, Waku, Parcel, Vite, RedwoodSDK) can be taken offline by a single malicious request. This is not mitigated by upgrading for the prior RCE vulnerability; you need separate patched versions.

Why it matters

Implementation verdict

Replaces: nothing—this is a mandatory security patch. Requires: immediate version bump (Next.js 16.0.9+, 15.5.8+, 14.2.34+, or react-server-dom 19.2.2+). Deno Deploy users get automatic runtime mitigation, but all others must patch. Worth doing now: absolutely—this is a trivial upgrade with high blast radius if unpatched.

Sources

1.allows an attacker to hang a server by sending a specifically crafted HTTP request that, when deserialized, causes an infinite loop
2.All Next.js applications using App Router, on Next 13.3 or later, Next 14, Next 15, and Next 16
3.If you have upgraded to the patched versions for that vulnerability, you are not protected against this new DoS vulnerability. You must upgrade again

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs