Skip to content

Update blog post to include recent CVE #8400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eps1lon wants to merge 2 commits into
base: main
Choose a base branch
from
+13 −30
Open

Update blog post to include recent CVE #8400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
27aac37
Update blog post to include recent CVE
eps1lon Apr 8, 2026
9ad8011
Same procedure as last time
eps1lon Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 5 additions & 23 deletions ...t/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,45 +62,27 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F

These instructions have been updated to include the new vulnerabilities:

- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) (CVSS 7.5)
- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869) (CVSS 7.5)
- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
- **Denial of Service - High Severity**: January 26, 2026 [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864) (CVSS 7.5)

See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.

-----

_Updated January 26, 2026._
_Updated April 8th, 2026._
</Note>

### Next.js {/*update-next-js*/}

All users should upgrade to the latest patched version in their release line:

```bash
npm install next@14.2.35 // for 13.3.x, 13.4.x, 13.5.x, 14.x
npm install next@15.0.8 // for 15.0.x
npm install next@15.1.12 // for 15.1.x
npm install next@15.2.9 // for 15.2.x
npm install next@15.3.9 // for 15.3.x
npm install next@15.4.11 // for 15.4.x
npm install next@15.5.10 // for 15.5.x
npm install next@16.0.11 // for 16.0.x
npm install next@16.1.5 // for 16.1.x

npm install next@15.6.0-canary.60 // for 15.x canary releases
npm install next@16.1.0-canary.19 // for 16.x canary releases
npm install next@15.5.15 // for 15.x
npm install next@16.2.3 // for 16.x
```

15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5

If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.

If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:

```bash
npm install next@14
```
If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) or on any Next.js 14, please upgrade to version `15.5.15`.

See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.

Expand Down
15 changes: 8 additions & 7 deletions .../12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ description: Security researchers have found and disclosed two additional vulner

December 11, 2025 by [The React Team](/community/team)

_Updated January 26, 2026._
_Updated April 8th, 2026._

---

Expand All @@ -36,13 +36,13 @@ We recommend upgrading immediately due to the severity of the newly disclosed vu

If you already updated for the previous vulnerabilities, you will need to update again.

If you updated to 19.0.3, 19.1.4, and 19.2.3, [these are incomplete](#additional-fix-published), and you will need to update again.
If you updated to 19.0.4, 19.1.5, and 19.2.4, [these are incomplete](#additional-fix-published), and you will need to update again.

Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.

-----

_Updated January 26, 2026._
_Updated April 8th, 2026._

</Note>

Expand All @@ -52,7 +52,7 @@ Further details of these vulnerabilities will be provided after the rollout of t

These vulnerabilities are present in the same packages and versions as [CVE-2025-55182](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).

This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.2.0, 19.2.1, 19.2.2, and 19.2.3 of:
This includes 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.0.4, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.5, 19.2.0, 19.2.1, 19.2.2, 19.2.3, and 19.2.4 of:

* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
Expand Down Expand Up @@ -120,19 +120,19 @@ The patches published January 26th mitigate these DoS vulnerabilities.

The original fix addressing the DoS in [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) was incomplete.

This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.
This left previous versions vulnerable. Versions 19.0.5, 19.1.6, 19.2.5 are safe.

-----

_Updated January 26, 2026._
_Updated April 8th, 2026._

</Note>

---

## High Severity: Denial of Service {/*high-severity-denial-of-service*/}

**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) and [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779)
**CVEs:** [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184), [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779), and [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869)
**Base Score:** 7.5 (High)

Security researchers have discovered that a malicious HTTP request can be crafted and sent to any Server Functions endpoint that, when deserialized by React, can cause an infinite loop that hangs the server process and consumes CPU. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
Expand Down Expand Up @@ -195,6 +195,7 @@ Always verify against production bundles.
* **December 11th**: Patches published and publicly disclosed as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) and [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).
* **December 11th**: Missing DoS case found internally, patched and publicly disclosed as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).
* **January 26th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23864](https://www.cve.org/CVERecord?id=CVE-2026-23864).
* **April 8th**: Additional DoS cases found, patched, and publicly disclosed as [CVE-2026-23869](https://www.cve.org/CVERecord?id=CVE-2026-23869).
---

## Attribution {/*attribution*/}
Expand Down
Loading