{
  "threat_severity" : "Important",
  "public_date" : "2025-12-11T23:36:20Z",
  "bugzilla" : {
    "description" : "next: React Server Components: Denial of Service via Unsafe Deserialization",
    "id" : "2421678",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2421678"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-502",
  "details" : [ "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.", "A flaw was found in React Server Components. This vulnerability allows a denial of service via unsafe deserialization of payloads from HTTP (Hypertext Transfer Protocol) requests to Server Function endpoints. A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service. \nThis CVE has been issued as a complete fix for CVE-2025-55184 which was incomplete with initial fix." ],
  "statement" : "It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and did not fully prevent denial of service attacks in all payload types. A complete fix has been issued under this CVE-2025-67779.\n```\nAdditionally, no Red Hat software includes the directly affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack). However, the reference implementation of React Server Components is used by other projects such as Next.js. The packages listed here include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol.\n```",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/rekor-search-ui-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "com.github.streamshub-console",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Not affected",
    "package_name" : "com.github.streamshub-console",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-67779\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-67779\nhttps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components\nhttps://www.facebook.com/security/advisories/cve-2025-67779" ],
  "name" : "CVE-2025-67779",
  "csaw" : false
}