Deserialization of Untrusted Data Affecting next package, versions >=13.3.0 <14.2.34>=15.0.0-rc.0 <15.0.6>=15.1.0 <15.1.10>=15.2.0-canary.0 <15.2.7>=15.3.0-canary.0 <15.3.7>=15.4.0-canary.0 <15.4.9>=15.5.0 <15.5.8>=16.0.0-beta.0 <16.0.9>=16.1.0-canary.0 <16.1.0-canary.19
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Deserialization of Untrusted Data vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-NEXT-14400636
- published12 Dec 2025
- disclosed11 Dec 2025
- creditRyotaK
Introduced: 11 Dec 2025
NewCVE-2025-55184 (opens in a new tab)How to fix?
Upgrade next to version 14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 16.0.9, 16.1.0-canary.19 or higher.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.
Notes:
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.
If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.