GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/49430?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49430?format=api",
    "vulnerability_id": "VCID-38m6-9vq5-a7a7",
    "summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up\nIt was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types.  As a result, certain crafted inputs could still trigger excessive resource consumption.\n\nThis vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.",
    "aliases": [
        {
            "alias": "GHSA-5j59-xgg2-r9c4"
        }
    ],
    "fixed_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72963?format=api",
            "purl": "pkg:npm/next@14.2.35",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.35"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72964?format=api",
            "purl": "pkg:npm/next@15.0.7",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.7"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72965?format=api",
            "purl": "pkg:npm/next@15.1.11",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.11"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72966?format=api",
            "purl": "pkg:npm/next@15.2.8",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.8"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72967?format=api",
            "purl": "pkg:npm/next@15.3.8",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.8"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72968?format=api",
            "purl": "pkg:npm/next@15.4.10",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.10"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72969?format=api",
            "purl": "pkg:npm/next@15.5.9",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.9"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72970?format=api",
            "purl": "pkg:npm/next@15.6.0-canary.60",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.60"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72971?format=api",
            "purl": "pkg:npm/next@16.0.10",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.10"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72972?format=api",
            "purl": "pkg:npm/next@16.1.0-canary.19",
            "is_vulnerable": false,
            "affected_by_vulnerabilities": [],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.19"
        }
    ],
    "affected_packages": [
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72962?format=api",
            "purl": "pkg:npm/next@13.3.1-canary.0",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@13.3.1-canary.0"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72927?format=api",
            "purl": "pkg:npm/next@15.0.6",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72928?format=api",
            "purl": "pkg:npm/next@15.1.10",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72929?format=api",
            "purl": "pkg:npm/next@15.2.7",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72930?format=api",
            "purl": "pkg:npm/next@15.3.7",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72931?format=api",
            "purl": "pkg:npm/next@15.4.9",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72932?format=api",
            "purl": "pkg:npm/next@15.5.8",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72933?format=api",
            "purl": "pkg:npm/next@15.6.0-canary.59",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72934?format=api",
            "purl": "pkg:npm/next@16.0.9",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/packages/72935?format=api",
            "purl": "pkg:npm/next@16.1.0-canary.17",
            "is_vulnerable": true,
            "affected_by_vulnerabilities": [
                {
                    "vulnerability": "VCID-38m6-9vq5-a7a7"
                }
            ],
            "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17"
        }
    ],
    "references": [
        {
            "reference_url": "https://github.com/vercel/next.js",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/vercel/next.js"
        },
        {
            "reference_url": "https://nextjs.org/blog/security-update-2025-12-11",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://nextjs.org/blog/security-update-2025-12-11"
        },
        {
            "reference_url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
        },
        {
            "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-55184",
            "reference_id": "",
            "reference_type": "",
            "scores": [],
            "url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
        },
        {
            "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67779",
            "reference_id": "CVE-2025-67779",
            "reference_type": "",
            "scores": [],
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67779"
        },
        {
            "reference_url": "https://www.facebook.com/security/advisories/cve-2025-67779",
            "reference_id": "CVE-2025-67779",
            "reference_type": "",
            "scores": [],
            "url": "https://www.facebook.com/security/advisories/cve-2025-67779"
        },
        {
            "reference_url": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4",
            "reference_id": "GHSA-5j59-xgg2-r9c4",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/advisories/GHSA-5j59-xgg2-r9c4"
        },
        {
            "reference_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4",
            "reference_id": "GHSA-5j59-xgg2-r9c4",
            "reference_type": "",
            "scores": [],
            "url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 1395,
            "name": "Dependency on Vulnerable Third-Party Component",
            "description": "The product has a dependency on a third-party component that contains one or more known vulnerabilities."
        },
        {
            "cwe_id": 400,
            "name": "Uncontrolled Resource Consumption",
            "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources."
        },
        {
            "cwe_id": 502,
            "name": "Deserialization of Untrusted Data",
            "description": "The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."
        },
        {
            "cwe_id": 937,
            "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."
        },
        {
            "cwe_id": 1035,
            "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities",
            "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."
        }
    ],
    "exploits": [],
    "severity_range_score": null,
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-38m6-9vq5-a7a7"
}