Here's the situation: Your React framework just disclosed two critical vulnerabilities, and if you're running Next.js with App Router, you need to patch within 24-48 hours. No workarounds exist. This is upgrade-or-risk-downtime territory.

On December 11, 2025, React published an official security advisory disclosing two critical vulnerabilities in React Server Components, and full-stack developers using Next.js and other React-based frontends needed immediate guidance.

CVE-2025-55184 (CVSS 7.5 score, HIGH severity) causes denial of service through unsafe deserialization in React Server Components 19.0.0-19.2.1, while CVE-2025-55183 (CVSS 5.3, MEDIUM severity) exposes server function source code in the same React versions and Next.js 13.x-16.x with App Router.

This security advisory provides full-stack developers with the technical details, exploitation methods, and remediation steps for these vulnerabilities. While Strapi CMS itself is not affected by these vulnerabilities, developers building applications with Strapi as a headless CMS paired with React or Next.js frontends need to understand the risks and patch their frontend applications immediately.

This guide covers what makes these vulnerabilities critical, which systems require patching, verification steps for protected applications, and security practices to prevent similar issues in your development workflow.

In brief:

• CVE-2025-55184 (CVSS 7.5) enables pre-authentication denial of service through recursive Promise deserialization in React Server Components versions 19.0.0-19.0.1, 19.1.0-19.1.2, and 19.2.0-19.2.1.
• CVE-2025-55183 (CVSS 5.3) exposes server function source code through toString coercion in React Server Components versions 19.0.0-19.0.1, 19.1.0-19.1.2, and 19.2.0-19.2.1, with confirmed active exploitation despite lower severity.
• Next.js versions 13.x through 16.x using App Router require immediate patching, while Pages Router applications and Strapi CMS remain unaffected.
• Developers must upgrade to React 19.0.3+, 19.1.4+, or 19.2.3+ and corresponding Next.js versions (14.2.35+, 15.0.7+, or 16.0.10+), as no workarounds exist and initial patches were incomplete.

Prerequisites

• Package manager access (npm, yarn, or pnpm)
• Deployment permissions for production environments
• 2-4 hours for testing in staging
• Rollback plan for unexpected issues

Run npm list react react-dom next to check current versions before patching.

Understanding the Vulnerability Mechanisms

On December 11, 2025, React disclosed two vulnerabilities: CVE-2025-55184 (CVSS 7.5, High severity) and CVE-2025-55183 (CVSS 5.3, Medium severity). Both vulnerabilities exploit weaknesses in the React Flight protocol's handling of HTTP requests to Server Function endpoints.

Most teams learn this the hard way—the attack requires no authentication, so any exposed endpoint becomes a target.

CVE-2025-55184 exploits unsafe deserialization in the React Flight protocol. A malicious payload with a self-referential Promise creates infinite recursion in the Node.js microtask queue. The circular reference structure causes the server to hang while remaining technically alive with open ports, making it completely unresponsive to legitimate requests as the event loop becomes starved.

CVE-2025-55183 exploits JavaScript type coercion to trigger toString on server function objects. When attackers craft specially made HTTP requests to vulnerable Server Function endpoints, the deserialization process returns complete source code including business logic and any hardcoded secrets. While this doesn't enable remote code execution, it exposes backend implementation details and potential attack vectors. This is where treating all dependencies as trusted comes back to haunt you.

Both CVEs affect React 19.0.0-19.2.1 and Next.js 13.x-16.x with App Router. Patch to React 19.0.3/19.1.4/19.2.3+ and Next.js 14.2.35/15.0.7+/16.0.10+.

Which Systems Need Patching

Only a specific subset of the React ecosystem needs immediate attention. Next.js applications using the App Router feature in versions 13.x through 16.x face exposure, as confirmed in the Next.js security update. Other frameworks embedding React Server Components including Vite, Parcel, React Router, RedwoodSDK, and Waku also inherit the vulnerabilities.

If you're still running Pages Router, you've caught a break here—but don't skip the version check entirely.

Strapi CMS: Not Affected

Strapi is not affected by these React vulnerabilities because the CMS doesn't use React Server Components. If you're running Strapi with a Next.js frontend using App Router, patch only the frontend application while your Strapi backend requires no action.

How Attackers Exploit These Vulnerabilities

Understanding exploitation methods helps you assess risk and verify patches work correctly.

The denial of service attack exploits the React Flight protocol's deserialization layer through recursive Promise deserialization. Attackers send a crafted payload creating a self-referential Promise structure where the circular reference causes infinite recursion, flooding the microtask queue and starving the event loop. The attack requires no authentication and works with a single HTTP request (CVSS vector: AV:N/AC:L/PR:N/UI:N).

The information disclosure vulnerability exploits how React Server Components handle function serialization. When attackers craft HTTP requests to vulnerable Server Function endpoints, they can trigger toString method invocation on server function objects. JavaScript's default toString behavior on functions returns the entire source code, exposing backend business logic, internal API endpoints, and any hardcoded secrets or patterns embedded in the function implementation.

Patching Your Applications

Both CVE-2025-55184 and CVE-2025-55183 require immediate patching. No workarounds exist. The React team released initial patches on December 11, 2025, which were incomplete, necessitating follow-up releases with versions 19.0.3, 19.1.4, and 19.2.3 to fully address the vulnerabilities, as documented in the official security advisory.

Verify Your Current Versions

Here's where most teams discover they're running vulnerable versions—the version in package.json isn't always what's actually deployed.

Check your package.json to identify current versions by running npm list react react-dom next. Compare your versions against the affected ranges: React Server Components 19.0.0 through 19.2.2 and Next.js 13.x through 16.x with App Router are vulnerable. If you're running these versions, upgrade immediately to React 19.0.3, 19.1.4, or 19.2.3+, and Next.js 14.2.35, 15.0.7+, or 16.0.10+.

Upgrade React Applications

The upgrade path depends on which React version you're currently running. If you're running React Server Components directly (not through Next.js), you need these specific versions: React 19.0.3, 19.1.4, or 19.2.3 and later.

Match your upgrade to your current minor version—jumping versions can introduce breaking changes:

# For React 19.0.x users
npm install react@19.0.3 react-dom@19.0.3

# For React 19.1.x users  
npm install react@19.1.4 react-dom@19.1.4

# For React 19.2.x users
npm install react@19.2.3 react-dom@19.2.3

Critical: Early patches (19.0.2, 19.1.3, 19.2.2) were incomplete, so ensure you're running the complete patch versions addressing both the initial vulnerability and CVE-2025-67779.

Upgrade Next.js Applications

Next.js patching gets slightly more complex because the right version depends on your current major version. For Next.js, the patch version you need depends on which major version you're currently running:

• Next.js 14.x and 13.x: Upgrade to version 14.2.35 or later
• Next.js 15.x: Upgrade to 15.0.7 or later (specific versions: 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9)
• Next.js 16.x: Upgrade to version 16.0.10 or later

Run the command that matches your current version family:

# For Next.js 13.x and 14.x
npm install next@14.2.35

# For Next.js 15.0.x
npm install next@15.0.7

# For Next.js 15.1.x
npm install next@15.1.11

# For Next.js 15.2.x
npm install next@15.2.8

# For Next.js 15.3.x
npm install next@15.3.8

# For Next.js 15.4.x
npm install next@15.4.10

# For Next.js 15.5.x
npm install next@15.5.9

# For Next.js 16.x
npm install next@16.0.10

These versions also update React to 19.0.3+, 19.1.4+, or 19.2.3+ as required by the security patches.

Vercel provides an automated command-line tool that checks your versions and applies appropriate patches:

npx fix-react2shell-next

Checking That Patches Applied

If your lockfile doesn't match the upgraded versions, you're still vulnerable—and most teams miss this step.

After upgrading, verify the patches actually applied by running npm list react react-dom next. Check both your package.json and lockfile to ensure lockfile versions match the upgraded specifications and reflect the complete patches.

Getting Patches into Production

Get these patches into production within 24-48 hours. The pre-authentication nature of CVE-2025-55184 (CVSS 7.5, HIGH severity) means any exposed endpoint can be hit without credentials, and confirmed active exploitation of CVE-2025-55183 makes immediate deployment critical. If you're using Strapi Cloud for your backend with a separate Next.js frontend, focus your patching efforts on the Next.js frontend deployment only if it uses the App Router with React Server Components. Your Strapi instance requires no changes for these specific vulnerabilities.

Related CVEs in the Vulnerability Chain

These vulnerabilities are part of a broader security issue cluster affecting React Server Components.

After releasing initial patches for CVE-2025-55184, security researchers discovered the fix was incomplete. CVE-2025-67779 addresses this gap, with complete fixes requiring React versions 19.0.3, 19.1.4, and 19.2.3 or later, and Next.js versions 14.2.35, 15.0.7+, or 16.0.10+. Developers who patched immediately after disclosure using the initial patch releases may still be vulnerable.

While CVE-2025-55184 and CVE-2025-55183 don't enable remote code execution, they are part of a broader vulnerability chain including CVE-2025-55182. These CVEs share the same attack surface in the React Flight protocol deserialization layer, and patching to the latest versions addresses all related CVEs simultaneously.

Security Best Practices Beyond Patching

The teams that weather these vulnerabilities best are the ones who've already automated their security scanning. Beyond immediate patching, implementing comprehensive security practices prevents similar vulnerabilities from impacting your applications.

Always store secrets in environment variables and access them at runtime. CVE-2025-55183 demonstrates why hardcoding secrets in source code creates catastrophic risk, as any source code exposure immediately compromises credentials. Use secure API management practices to protect your credentials across all environments.

Integrate security vulnerability scanning into your CI/CD pipeline using npm audit and automated alerts for new CVEs affecting your dependencies. Set up automated scanning that fails builds on moderate or higher severity vulnerabilities.

Create a risk-based patch management policy with defined timelines according to NIST SP 800-40 Rev. 4: Critical/High severity (CVSS 7.0+) within 24-48 hours, Medium severity (CVSS 4.0-6.9) within 7 days, and Low severity (CVSS 0.1-3.9) within 30 days. For CVE-2025-55184 (CVSS 7.5) and CVE-2025-55183 (confirmed active exploitation), upgrade within 24-48 hours.

Review your server logs for suspicious patterns including self-referential Promise structures in requests, attempts to trigger toString on Server Functions, malformed React Flight protocol payloads, and pre-authentication requests to Server Function endpoints. Implement WAF rules to filter malicious patterns, but note that WAF protections supplement rather than replace mandatory patching.

Implement multiple defensive layers at application and infrastructure levels according to OWASP security best practices. Validate inputs at trust boundaries, implement rate limiting on API endpoints, use role-based access control and API token authentication, upgrade to patched versions immediately, store secrets in environment variables, and monitor resource consumption for exploitation indicators. Follow Node.js security best practices for preventing DoS attacks and properly managing the event loop.

Verification and Next Steps

After patching, verify package.json shows React 19.0.3+/19.1.4+/19.2.3+ and Next.js 14.2.35+/15.0.7+/16.0.10+ (not incomplete initial patches). Test Server Function endpoints thoroughly and monitor logs for malformed Flight protocol payloads, recursive Promise structures, and toString invocation attempts before production deployment.

If you are using Next.js with the App Router to serve content from Strapi as a headless CMS, focus your security review on the Next.js frontend component, which requires patches for CVE-2025-55184 and CVE-2025-55183. Document lessons learned in your team documentation and update incident response procedures. Consider subscribing to security advisories for your critical dependencies by following React and Next.js security blogs for Server Components vulnerabilities.

Get Started in Minutes

Run npx create-strapi-app@latest in your terminal and follow our Quick Start Guide to build your first Strapi project.

• View Quick Start Guide