惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy & Cybersecurity Law Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
TaoSecurity Blog
TaoSecurity Blog
C
CERT Recently Published Vulnerability Notes
S
Security @ Cisco Blogs
Google DeepMind News
Google DeepMind News
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tenable Blog
O
OpenAI News
NISL@THU
NISL@THU
AI
AI
T
Threat Research - Cisco Blogs
Know Your Adversary
Know Your Adversary
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
W
WeLiveSecurity
P
Privacy International News Feed
Cisco Talos Blog
Cisco Talos Blog
S
Secure Thoughts
D
Docker
博客园 - 三生石上(FineUI控件)
T
Troy Hunt's Blog
T
Threatpost
C
Cyber Attacks, Cyber Crime and Cyber Security
Vercel News
Vercel News
H
Hacker News: Front Page
B
Blog
S
SegmentFault 最新的问题
H
Heimdal Security Blog
T
The Blog of Author Tim Ferriss
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
G
GRAHAM CLULEY
AWS News Blog
AWS News Blog
N
News and Events Feed by Topic
L
LINUX DO - 热门话题
小众软件
小众软件
爱范儿
爱范儿
T
The Exploit Database - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN
Recent Announcements
Recent Announcements
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
PCI Perspectives
PCI Perspectives
I
Intezer
云风的 BLOG
云风的 BLOG
P
Proofpoint News Feed

Deno

Deno 2.8 | Deno Claw Patrol: an open-source security firewall for agents | Deno Fresh 2.3: Zero JS by default, View Transitions, and Temporal support | Deno Deno 2.7: Temporal API, Windows ARM, and npm overrides | Deno Build a dinosaur runner game with Deno, pt. 6 | Deno Build a dinosaur runner game with Deno, pt. 5 | Deno Deno Deploy is Generally Available | Deno Introducing Deno Sandbox | Deno Build a dinosaur runner game with Deno, pt. 4 | Deno Build a dinosaur runner game with Deno, pt. 3 | Deno Build a dinosaur runner game with Deno, pt. 2 | Deno Deno 2.6: dx is the new npx | Deno Build a dinosaur runner game with Deno, pt. 1 | Deno React Server Functions / Next.js Vulnerability: Deno Deploy users protected | Deno My highlights from the new Deno Deploy | Deno Deno's Other Open Source Projects | Deno How Deno protects against npm exploits | Deno Help Us Raise $200k to Free JavaScript from Oracle | Deno Deno 2.5: Permissions in the config file | Deno Fresh 2.0 Graduates to Beta, Adds Vite Support | Deno Deno 2.4: deno bundle is back | Deno JavaScript™ Trademark Update | Deno What's coming to JavaScript | Deno A brief history of JavaScript | Deno Reports of Deno's Demise Have Been Greatly Exaggerated | Deno An Update on Fresh | Deno How Plaid migrated 100 services to a new database platform 5x faster with Deno | Deno Deno 2.3: Improved deno compile, local npm packages, and more | Deno Add JSR packages with pnpm and Yarn | Deno Zero-config Debugging with Deno and OpenTelemetry | Deno Exploring Art with TypeScript, Jupyter, Polars, and Observable Plot | Deno Deno v Oracle Update 3: Fighting the JavaScript Trademark | Deno Build a custom RAG AI agent in TypeScript and Jupyter | Deno How to get deep traces in your Node.js backend with OTel and Deno | Deno toranoana.deno #20 登録受付中(2025年3月14日) | Deno Node just added TypeScript support. What does that mean for Deno? | Deno The Dino 🦕, the Llama 🦙, and the Whale 🐋 | Deno Publish a lint rule, get a prize | Deno Deno 2.2: OpenTelemetry, Lint Plugins, node:sqlite | Deno If you're not using npm specifiers, you're doing it wrong | Deno How Deno's documentation is evolving | Deno Oracle justified its JavaScript trademark with Node.js—now it wants that ignored | Deno Introducing the JSR open governance board | Deno Intro to Wasm in Deno | Deno Announcing OpenAI on JSR | Deno Deno in 2024 | Deno Goodbye WinterCG, welcome WinterTC | Deno Build a SolidJS app with Deno | Deno Run your Next.js SSR app on Deno Deploy | Deno Solve Advent of Code 2024 with Deno and Win Prizes! | Deno Deno v. Oracle: Canceling the JavaScript Trademark | Deno Deno 2.1: Wasm Imports and other enhancements | Deno Build a Typesafe API with tRPC and Deno | Deno Self-contained Executable Programs with Deno Compile | Deno Build a Database App with Drizzle ORM and Deno | Deno Introducing your new JavaScript package manager: Deno | Deno Announcing Growthbook on JSR | Deno Build an Astro site with Deno | Deno How to convert CommonJS to ESM | Deno Announcing Deno 2 | Deno The Final Touches: What’s New In v2.0.0-rc.10 | Deno Announcing Stable V8 Bindings for Rust | Deno Deno 2.0 Release Candidate | Deno Secure, efficient private npm registries with Cloudsmith and Deno | Deno Painting the Plane as We Fly It: Designing JSR | Deno Introducing Web Cache API support on Deno Deploy | Deno Deno 1.46: The Last 1.x Release | Deno Protect your cloud spend with new Deno Deploy spend limits | Deno What we got wrong about HTTP imports | Deno Benchmarking AWS Lambda Cold Starts Across JavaScript Runtimes | Deno Announcing Supabase on JSR | Deno Deno 1.45: Workspace and Monorepo Support | Deno Introducing KV Backup for Deno Subhosting | Deno A Gentle Intro to TypeScript | Deno Announcing Hono on JSR | Deno How We Made the Deno Language Server Ten Times Faster | Deno How the Guardian uses Deno to audit accessibility and performance across their 2.7 million articles | Deno Introducing More Flexible Domain Association for Deno Subhosting | Deno The stabilization process of the Standard Library has begun | Deno Deno 1.44: Private npm registries, improved Node.js compat, and performance boosts | Deno How we built a secure, performant, multi-tenant cloud platform to run untrusted code | Deno The Deno Standard Library is now available on JSR | Deno How to document your JavaScript package | Deno Your Low Code Solution Needs an Escape Hatch | Deno Deno 1.43: Improved Language Server performance | Deno How Slack used Deno to save months of engineering effort in launching their new platform | Deno JSR Is Not Another Package Manager | Deno Announcing the Hookdeck SDK on JSR | Deno Announcing the Neon Serverless Driver on JSR | Deno An intro to TSConfig for JavaScript Developers | Deno How we built JSR | Deno How Netlify used Deno Subhosting to build a successful edge functions product | Deno Introducing Simpler Project Creation in Deno Deploy | Deno Deno 1.42: Better dependency management with JSR | Deno Introducing deployctl, the command line interface for Deno Deploy | Deno Introducing JSR - the JavaScript Registry | Deno How to add Monaco to a Next.js app and securely run untrusted user code | Deno Survey Results and Roadmap | Deno Deno 1.41: smaller deno compile binaries | Deno Webhooks suck, but here are alternatives | Deno
React / Next.js Denial-of-Service Vulnerability: Deno Deploy users protected | Deno
Luca Casonat · 2025-12-11 · via Deno

TL;DR: A high severity Denial-of-Service (DoS) vulnerability has been found in React Server Components and Next.js (CVE-2025-55184). Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users.

This is part of coordinated vulnerability disclosure with the Meta Security Team, and the Next.js team at Vercel, regarding a high severity Denial-of-Service (DoS) vulnerability in React Server Components.

Related: On December 3rd 2025, we disclosed a critical severity Remote Code Execution (RCE) vulnerability in React Server Functions and Next.js (CVE-2025-55182). If you have upgraded to the patched versions for that vulnerability, you are not protected against this new DoS vulnerability. You must upgrade again to the versions listed below. More info.

On Wednesday, December 11th 2025, a high severity Denial-of-Service (DoS) vulnerability was disclosed in React Server Components and Next.js.

This vulnerability exists in React Server Components. It allows an attacker to hang a server by sending a specifically crafted HTTP request that, when deserialized, causes an infinite loop. This hangs the server process and prevents it from serving future HTTP requests. The following implementations are known to be vulnerable:

  • All Next.js applications using App Router, on Next 13.3 or later, Next 14, Next 15, and Next 16.
  • Applications using React Router RSC
  • Applications built with Waku
  • Applications built with the Parcel RSC plugin
  • Applications built with the Vite RSC plugin
  • Applications built with RedwoodSDK

On December 11th 2025, Deno implemented a runtime level mitigation for this vulnerability in Deno Deploy. Applications deployed to Deno Deploy are thus not vulnerable to this DoS exploit anymore. The mitigation has been applied to both the new Deno Deploy, Deno Deploy Classic, and Deno Deploy subhosting environments.

All other users must immediately upgrade their applications to any of the following patched versions that contain fixes for this vulnerability:

  • Next.js 16: update next to 16.0.9 or later.
  • Next.js 15: update next to 15.5.8 or later (and for older minors you can update to 15.4.9, 15.3.7, 15.2.7, 15.1.10, or 15.0.6).
  • Next.js 14 and 13.3+: update next to 14.2.34 or later.
  • React Router, Parcel RSC, Vite RSC, Waku, and RedwoodSDK: update react-server-dom-webpack / react-server-dom-parcel / react-server-dom-turbopack to 19.2.2 or later (and for older minors you can update to 19.1.3 or 19.0.2).

If you are using Deno as your package manager, you can upgrade Next.js by running:

To upgrade the library that implements React Server Components for React Router, Parcel RSC, Vite RSC, Waku, or RedwoodSDK, run:

deno update react-server-dom-webpack@latest

deno update react-server-dom-parcel@latest

deno update react-server-dom-turbopack@latest

For users of Deno Deploy: although a runtime level mitigation has already been applied to all Deno Deploy applications automatically, we still recommend upgrading to the patched versions of Next.js / React as soon as possible, to ensure that your applications remain secure in other deployment environments.

Due to the nature of this vulnerability, we do not believe that a Web Application Firewall can effectively mitigate this issue without false positives. Because of this, we have mitigated the risk for Deno Deploy users using a runtime-level mitigation instead. Nonetheless, we recommend to all users to upgrade to a patched version of the affected libraries for a more comprehensive mitigation. We will share more details about the runtime-level mitigation in a future blog post.

We thank the Meta Security Team and the Next.js team at Vercel for their collaboration in responsibly disclosing this vulnerability and coordinating the release of patches and mitigations. Additionally we thank RyotaK of GMO Flatt Security Inc who found and reported this vulnerability for their responsible disclosure.

If you have any questions or need assistance, please reach out to us at deploy@deno.com.