X
Akamai
Login
Login Close
Control Center
Access the Akamai platform
Login Close
Cloud Manager
Manage your cloud resources

CVE-2025-55183 and CVE-2025-55184: Mitigating React/Next.js Vulnerabilities

Share

Executive summary

We have been notified by our partners about a couple of newly disclosed vulnerabilities that are affecting multiple React-based frameworks.

Akamai has deployed Akamai Adaptive Security Engine Rapid Rules to protect our customers from these threats. For Guardicore customers subscribed to Akamai Hunt, Akamai has searched for and identified relevant vulnerable assets in customer environments and provided recommendations to protect those assets.

Vulnerability details

Two new vulnerabilities have been found in React Server Component (RSC) frameworks:

  1. CVE-2025-55183 — Information disclosure: Attackers can coerce arguments in server functions to leak server-only source code if input isn’t properly validated.
  2. CVE-2025-55184 — Function-level denial of service (DoS): Specially crafted payloads can freeze Node.js servers by creating infinite promise recursion, and take affected servers offline.

Mitigation with Akamai App & API Protector

On December 10, 2025, Akamai deployed Adaptive Security Engine Rapid Rules for App & API Protector customers to provide full coverage:

  • 3000977 — Information Leakage In React Vulnerability Detected (CVE-2025-55183)

  • 3000978 — Denial of Service In React Vulnerability Detected (CVE-2025-55184)

Summary

Akamai has deployed new rules within App & API Protector to protect our customers from the newly disclosed vulnerabilities that are affecting multiple React-based frameworks.

Akamai Hunt customers benefit from continuous 24/7 monitoring for new and high-severity vulnerabilities, such as this one, as well as from targeted recommendations for virtual patching through Guardicore's granular microsegmentation capabilities.

Guardicore customers with Insight can identify vulnerable assets by using the appropriate query:

SELECT name, version
FROM npm_packages
WHERE LOWER(name) IN ('react', 'react-dom', 'react-server-dom-webpack', 'react-server-dom-parcel', 'react-server-dom-turbopack') 
AND version IN ('19.0.0', '19.1.0', '19.1.1', '19.2.0')

UNION ALL

SELECT name, version
FROM npm_packages
WHERE LOWER(name) = 'next'
AND ((version LIKE '15.%' AND version < '15.1.3') OR version LIKE '16.%' OR version >= '14.3.0-canary.77');

However, the most effective defense will always be the prompt application of the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible. For more information about patching, please see the React and Next.js blog posts.

Stay tuned

The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.

Read more research

Tags

Share

Related Blog Posts

We developed an automated tool, supported by AI, to replicate, analyze, and identify vulnerabilities across the entire server network.
We developed an automated tool, supported by AI, to replicate, analyze, and identify vulnerabilities across the entire server network.
Security Research
One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities
May 12, 2026
Akamai researchers uncover vulnerabilities in three MCP servers. Learn about CVE-2025-66335 and how to secure your AI-to-backend connection.
Read blog
CVE-2024-3094 is a vulnerability discovered in the open-source library XZ Utils that stems from malicious code that was pushed into the library by one of its maintainers.
CVE-2024-3094 is a vulnerability discovered in the open-source library XZ Utils that stems from malicious code that was pushed into the library by one of its maintainers.
Security Research
XZ Utils Backdoor — Everything You Need to Know, and What You Can Do
April 01, 2024
CVE-2024-3094 is a backdoor in XZ Utils that can affect multitudes of Linux machines. We share the critical information about it, as well as mitigation steps.
Read blog
Akamai Hunt, the proactive threat hunting service powered by Akamai Guardicore Segmentation, discovered legitimate plaintext credentials for a financial institution on the internet.
Akamai Hunt, the proactive threat hunting service powered by Akamai Guardicore Segmentation, discovered legitimate plaintext credentials for a financial institution on the internet.
Security Research
Honey, I Lost My Credentials! Finding Plaintext Credentials on the Internet
March 28, 2024
Sometimes the best findings are the accidental ones. See how Akamai Hunt found a customer’s plaintext credentials exposed on the internet.
Read blog