Skip to main content
Deno 2.6 is here 🎉
Learn more

React / Next.js Denial-of-Service Vulnerability: Deno Deploy users protected

TL;DR: A high severity Denial-of-Service (DoS) vulnerability has been found in React Server Components and Next.js (CVE-2025-55184). Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users.

This is part of coordinated vulnerability disclosure with the Meta Security Team, and the Next.js team at Vercel, regarding a high severity Denial-of-Service (DoS) vulnerability in React Server Components.

Related: On December 3rd 2025, we disclosed a critical severity Remote Code Execution (RCE) vulnerability in React Server Functions and Next.js (CVE-2025-55182). If you have upgraded to the patched versions for that vulnerability, you are not protected against this new DoS vulnerability. You must upgrade again to the versions listed below. More info.

On Wednesday, December 11th 2025, a high severity Denial-of-Service (DoS) vulnerability was disclosed in React Server Components and Next.js.

This vulnerability exists in React Server Components. It allows an attacker to hang a server by sending a specifically crafted HTTP request that, when deserialized, causes an infinite loop. This hangs the server process and prevents it from serving future HTTP requests. The following implementations are known to be vulnerable:

  • All Next.js applications using App Router, on Next 13.3 or later, Next 14, Next 15, and Next 16.
  • Applications using React Router RSC
  • Applications built with Waku
  • Applications built with the Parcel RSC plugin
  • Applications built with the Vite RSC plugin
  • Applications built with RedwoodSDK

On December 11th 2025, Deno implemented a runtime level mitigation for this vulnerability in Deno Deploy. Applications deployed to Deno Deploy are thus not vulnerable to this DoS exploit anymore. The mitigation has been applied to both the new Deno Deploy, Deno Deploy Classic, and Deno Deploy subhosting environments.

All other users must immediately upgrade their applications to any of the following patched versions that contain fixes for this vulnerability:

  • Next.js 16: update next to 16.0.9 or later.
  • Next.js 15: update next to 15.5.8 or later (and for older minors you can update to 15.4.9, 15.3.7, 15.2.7, 15.1.10, or 15.0.6).
  • Next.js 14 and 13.3+: update next to 14.2.34 or later.
  • React Router, Parcel RSC, Vite RSC, Waku, and RedwoodSDK: update react-server-dom-webpack / react-server-dom-parcel / react-server-dom-turbopack to 19.2.2 or later (and for older minors you can update to 19.1.3 or 19.0.2).

If you are using Deno as your package manager, you can upgrade Next.js by running:

deno update next@latest

To upgrade the library that implements React Server Components for React Router, Parcel RSC, Vite RSC, Waku, or RedwoodSDK, run:

deno update react-server-dom-webpack@latest
# or
deno update react-server-dom-parcel@latest
# or
deno update react-server-dom-turbopack@latest

For users of Deno Deploy: although a runtime level mitigation has already been applied to all Deno Deploy applications automatically, we still recommend upgrading to the patched versions of Next.js / React as soon as possible, to ensure that your applications remain secure in other deployment environments.

Due to the nature of this vulnerability, we do not believe that a Web Application Firewall can effectively mitigate this issue without false positives. Because of this, we have mitigated the risk for Deno Deploy users using a runtime-level mitigation instead. Nonetheless, we recommend to all users to upgrade to a patched version of the affected libraries for a more comprehensive mitigation. We will share more details about the runtime-level mitigation in a future blog post.

We thank the Meta Security Team and the Next.js team at Vercel for their collaboration in responsibly disclosing this vulnerability and coordinating the release of patches and mitigations. Additionally we thank RyotaK of GMO Flatt Security Inc who found and reported this vulnerability for their responsible disclosure.

If you have any questions or need assistance, please reach out to us at deploy@deno.com.