惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AWS News Blog
AWS News Blog
V
Vulnerabilities – Threatpost
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
博客园 - 叶小钗
AI
AI
T
Tor Project blog
Forbes - Security
Forbes - Security
W
WeLiveSecurity
博客园_首页
爱范儿
爱范儿
J
Java Code Geeks
B
Blog
G
GRAHAM CLULEY
aimingoo的专栏
aimingoo的专栏
Cloudbric
Cloudbric
C
CXSECURITY Database RSS Feed - CXSecurity.com
TaoSecurity Blog
TaoSecurity Blog
L
LINUX DO - 热门话题
阮一峰的网络日志
阮一峰的网络日志
有赞技术团队
有赞技术团队
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
云风的 BLOG
云风的 BLOG
Google DeepMind News
Google DeepMind News
H
Help Net Security
博客园 - 三生石上(FineUI控件)
C
Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
P
Palo Alto Networks Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 司徒正美
The Last Watchdog
The Last Watchdog
Blog — PlanetScale
Blog — PlanetScale
T
The Blog of Author Tim Ferriss
S
Secure Thoughts
Spread Privacy
Spread Privacy
F
Fortinet All Blogs
月光博客
月光博客
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
About on SuperTechFans
Security Latest
Security Latest
Webroot Blog
Webroot Blog
Scott Helme
Scott Helme
Hugging Face - Blog
Hugging Face - Blog

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell
2025-12-12 · via Aikido Security's Blog

Published on:

Dec 12, 2025

Key Takeaways

  • CVE-2025-55184 is a denial-of-service (DoS) vulnerability in React Server Components (RSC), not a remote code execution flaw.
  • The issue is closely related to React2Shell (CVE-2025-55182) and originates from the same React Flight protocol deserialization layer.
  • Aikido already detects CVE-2025-55184 and provides an in-app checklist to help teams verify whether they’re actually exposed and fully remediated.
  • A specially crafted request can trigger an infinite loop or hung state, making affected servers unresponsive.
  • An incomplete initial patch led to a follow-up vulnerability, CVE-2025-67779, meaning some teams must upgrade again.
  • Most impacted applications use Next.js App Router or other RSC-enabled frameworks.

TL;DR: Are You Still at Risk?

If you upgraded only to address CVE-2025-55182 (React2Shell), you may still be vulnerable.

CVE-2025-55184 affects adjacent RSC code paths and can allow attackers to take your app offline, even without gaining code execution. You should ensure you’re running the latest patched React and Next.js versions, including fixes for the follow-up CVE-2025-67779.

Remediation Steps

1. Upgrade React and RSC Packages

Ensure you are running the latest patched React releases that fully address both the RCE and DoS issues in the Flight protocol deserialization logic.

2. Upgrade Next.js and RSC Frameworks

  • Next.js users should upgrade to the latest patched release in their major version line.
  • Apps using the App Router or Server Functions are the most exposed.
  • Avoid relying on early post-React2Shell patches alone, as some were incomplete.

3. Re-scan for Follow-Up CVEs

Because CVE-2025-55184’s initial fix was incomplete, you must confirm that:

  • CVE-2025-67779 is also remediated
  • No vulnerable transitive RSC dependencies remain

4. Validate With Aikido

Run a fresh scan to verify:

  • Vulnerable RSC packages are fully removed
  • Affected serialization paths are no longer reachable
  • Your upgrade actually eliminates runtime exposure, not just the dependency flag

Background

On December 3rd the React ecosystem was rocked by a critical remote code execution vulnerability in React Server Components, CVE-2025-55182, widely dubbed React2Shell. In our previous blog, we explored how unsafe deserialization in the RSC “Flight” protocol allowed unauthenticated attackers to send crafted HTTP requests that could lead to full server takeover in default React/Next.js apps. 

Since then, as the industry rushed to patch and protect against 55182, additional weaknesses were uncovered in adjacent code paths, leading to new security advisories and CVEs. One of these is CVE-2025-55184, which while not a remote code execution flaw like React2Shell still represents a serious risk to availability. 

Deep Dive

What Is CVE-2025-55184?

CVE-2025-55184 is a denial-of-service vulnerability caused by unsafe handling of specially crafted input in the React Server Components runtime.

An attacker can send a malformed RSC request that:

  • Triggers an infinite loop, or
  • Forces the server into a hung state

Once triggered, the server may stop responding to legitimate traffic until restarted.

How It Relates to React2Shell

These vulnerabilities are not independent bugs:

  • Both stem from the React Flight protocol, which allows structured data from the client to influence server-side rendering and execution.
  • CVE-2025-55184 was discovered during audits following React2Shell, as researchers explored adjacent deserialization logic.
  • Additional related issues emerged, including:
    • CVE-2025-55183 (source exposure)
    • CVE-2025-67779 (incomplete fix for 55184)

This pattern highlights a systemic risk surface in RSC’s serialization design.

Why Availability Attacks Still Matter

Unlike React2Shell:

  • Attackers don’t gain shell access
  • No arbitrary code execution occurs

But:

  • Servers can be taken offline remotely
  • Attacks are unauthenticated
  • Repeated exploitation can cause outages, degraded performance, or forced restarts

For many teams, downtime is just as damaging as compromise.

Who Is Affected?

You may be impacted if your application:

  • Uses React Server Components
  • Runs Next.js App Router
  • Exposes Server Functions or RSC endpoints
  • Has not fully upgraded after the December React/Next.js advisories

Even if you don’t explicitly use server logic, framework defaults can still expose the vulnerable code paths.

Severity

  • CVE Score: High (Availability impact)
  • Impact: Denial of service
  • Attack Vector: Remote, unauthenticated
  • Exploitability: Low complexity

Timeline

  • Late November: React2Shell (CVE-2025-55182) disclosed
  • Early December: Additional RSC weaknesses discovered
  • December 3–5: CVE-2025-55184 disclosed and patched
  • Following days: Incomplete fix identified → CVE-2025-67779 issued

Scan Your Codebase Now

Aikido tracks CVE-2025-55184, CVE-2025-67779, and the broader family of RSC-related vulnerabilities.

Connect your repositories to:

  • Identify vulnerable React and Next.js versions
  • Determine whether the risky RSC paths are actually reachable
  • Validate that your upgrades fully eliminate exposure

Start scanning for free with Aikido.

Last updated on:

Dec 12, 2025

Secure your software now

Start today, for free.

Start for Free

No CC required

4.7/5

Tired of false positives?

Try Aikido like 100k others.

Start Now

Get a personalized walkthrough

Trusted by 100k+ teams

Book Now

Scan your app for IDORs and real attack paths

Trusted by 100k+ teams

Start Scanning

See how AI pentests your app

Trusted by 100k+ teams

Start Testing

April 17, 2026

Vulnerabilities & Threats

Multiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow

Aikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers take over administrator accounts. All issues have been patched as of version 2026-03b.

#

Vulnerabilities

#

open-source

April 14, 2026

Vulnerabilities & Threats

Axios CVE-2026-40175: a critical bug that’s… not exploitable

Axios CVE-2026-40175 is rated critical, but in real Node.js environments it’s not practically exploitable. Here’s why.

April 8, 2026

Vulnerabilities & Threats

GlassWorm goes native: New Zig dropper infects every IDE on your machine

GlassWorm deploys a Zig-based native dropper hidden within a fake extension, silently compromising VS Code, Cursor, VSCodium, and other IDEs.

#

Malware

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required | Scan results in 32secs.