Security

Next.js Security Alert: CVE-2025-55184 & CVE-2025-55183 - Upgrade Guide

By Technspire Team
December 12, 2025
3996 views

SECURITY ALERT: On December 11, 2025, Vercel disclosed two security vulnerabilities affecting Next.js and React: CVE-2025-55184 (High severity DoS) and CVE-2025-55183 (Medium severity source code exposure). If you're running Next.js 13-16 with App Router, you should upgrade immediately.

What Are These Vulnerabilities?

CVE-2025-55184: Denial of Service (High Severity)

A malicious HTTP request targeting App Router endpoints can cause server processes to hang and consume excessive CPU resources when the payload is deserialized. This can effectively take down your application.

  • Impact: Server hangs, excessive CPU usage
  • Attack Vector: Remote, no authentication required
  • Severity: High

CVE-2025-55183: Source Code Exposure (Medium Severity)

Crafted HTTP requests to App Router endpoints may return compiled source code of Server Actions. This can reveal your business logic and potentially expose hardcoded secrets if they're stored directly in code.

  • Impact: Business logic exposure, potential secret leakage
  • Attack Vector: Remote, no authentication required
  • Severity: Medium

Good news: Hardcoded secrets are only exposed if stored directly in Server Action code. If you follow best practices and use environment variables for secrets, they won't be leaked through this vulnerability.

Am I Affected?

Affected Versions

Package Affected Versions
React 19.0.0 through 19.2.1
Next.js 13.x through 16.x (App Router only)
react-server-dom-parcel 19.0.0 through 19.2.1
react-server-dom-webpack 19.0.0 through 19.2.1
react-server-dom-turbopack 19.0.0 through 19.2.1

You Are Affected If:

  • You use Next.js 13, 14, 15, or 16 with the App Router
  • You use React 19 with Server Components
  • You have Server Actions in your application

You Are NOT Affected If:

  • You use Next.js with Pages Router only (no App Router)
  • You use React 18 or earlier
  • Your React code runs entirely on the client (no server)

The Solution: Upgrade Now

Patches have been released for all affected Next.js version lines. Upgrade to the appropriate patched version:

Fixed Next.js Versions

Your Version Upgrade To Command
14.x 14.2.35 npm install next@14.2.35
15.0.x 15.0.7 npm install next@15.0.7
15.1.x 15.1.11 npm install next@15.1.11
15.2.x 15.2.8 npm install next@15.2.8
15.3.x 15.3.8 npm install next@15.3.8
16.0.x 16.0.10 npm install next@16.0.10

Quick Upgrade Steps

# 1. Check your current version
npm list next

# 2. Upgrade to patched version (example for 15.0.x)
npm install next@15.0.7

# 3. Verify the upgrade
npm list next

# 4. Run type check
npm run type-check

# 5. Build and test
npm run build

# 6. Deploy to production

What About Vercel WAF?

If you host on Vercel, their Web Application Firewall (WAF) automatically filters known exploit patterns for these vulnerabilities. However, Vercel's guidance is clear:

"The only complete fix is to upgrade to a patched version."

WAF protections are a temporary band-aid. They may not catch all attack variations. Upgrade your dependencies to fully resolve these vulnerabilities.

Additional Security Recommendations

Beyond upgrading, Vercel recommends these additional security measures:

1. Enable Deployment Protection

Protect preview and non-production environments from unauthorized access

2. Rotate Environment Variables

If you had any secrets hardcoded in Server Actions, rotate them immediately

3. Audit Shareable Links

Review and revoke any deployment protection exceptions that are no longer needed

4. Never Hardcode Secrets

Always use environment variables for API keys, database credentials, and other sensitive data

How We Handled This at Technspire

Our website was running Next.js 15.0.5, which was affected by both vulnerabilities. Here's how we responded:

  1. Immediate Assessment: Checked our Next.js version and confirmed we were affected
  2. Read the Security Bulletin: Reviewed Vercel's detailed CVE documentation
  3. Upgraded: Ran npm install next@15.0.7
  4. Verified: Ran type-check and build to ensure no breaking changes
  5. Deployed: Pushed to production within 30 minutes of learning about the CVEs

Total time from vulnerability awareness to production fix: under 30 minutes.

Verification Checklist

  • Check your current Next.js version: npm list next
  • Upgrade to patched version (see table above)
  • Run npm run type-check to verify TypeScript compatibility
  • Run npm run build to verify build succeeds
  • Deploy to production
  • Verify production is running the patched version
  • Audit Server Actions for hardcoded secrets (remove if found)

References

Need Help Securing Your Next.js Application?

Technspire provides security audits, vulnerability assessments, and remediation services for Next.js and React applications. We can help you assess your exposure, upgrade safely, and implement security best practices.

Contact Us for a Security Assessment

Key Takeaways

  • CVE-2025-55184: High severity DoS - can hang your server
  • CVE-2025-55183: Medium severity - can expose Server Action source code
  • Affected: Next.js 13-16 with App Router, React 19 with Server Components
  • Fix: Upgrade to patched Next.js version (14.2.35, 15.0.7, 15.1.11, etc.)
  • Don't rely on WAF alone: Upgrade your code for complete protection

Security vulnerabilities in widely-used frameworks like Next.js serve as important reminders: keep your dependencies updated, follow security advisories, and have a rapid response process in place. The faster you can patch, the smaller your window of exposure.

Ready to Transform Your Business?

Let's discuss how we can help you implement these solutions and achieve your goals with AI, cloud, and modern development practices.

No commitment required • Expert guidance • Tailored solutions

Tags

Next.js
Security
CVE-2025-55184
CVE-2025-55183
App Router
Server Actions
Vulnerability
React
Web Security
DoS
Source Code Exposure
Vercel
← Back to all posts