Two new RSC protocol vulnerabilities uncovered
2 days ago
- #Next.js
- #React
- #Security
- Two new vulnerabilities identified in React Server Components (RSC) protocol.
- Denial of Service (CVE-2025-55184): High severity, causes infinite loop.
- Source Code Exposure (CVE-2025-55183): Medium severity, reveals compiled source code.
- Affected versions include Next.js >=13.3, 14.x, 15.x, and 16.x.
- Fixed versions provided for each affected release line.
- Pages Router applications are not affected but upgrading is recommended.
- No workaround available; upgrading to patched versions is required.
- Credits to RyotaK and Andrew MacPherson for discovering the vulnerabilities.