GHSA-mwv6-3258-q52c: Next Vulnerable to Denial of Service with Server Components

December 11, 2025

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

References

Code Behaviors & Features

Detect and mitigate GHSA-mwv6-3258-q52c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 13.3.0 before 14.2.34, all versions starting from 15.0.0-canary.0 before 15.0.6, all versions starting from 15.1.1-canary.0 before 15.1.10, all versions starting from 15.2.0-canary.0 before 15.2.7, all versions starting from 15.3.0-canary.0 before 15.3.7, all versions starting from 15.4.0-canary.0 before 15.4.9, all versions starting from 15.5.1-canary.0 before 15.5.8, all versions starting from 15.6.0-canary.0 before 15.6.0-canary.59, all versions starting from 16.0.0-beta.0 before 16.0.9, all versions starting from 16.1.0-canary.0 before 16.1.0-canary.17