Following community-driven security research into React Server Components, we've deployed fixes for two newly discovered vulnerabilities affecting our Next.js infrastructure.
What We Fixed
High Severity - Denial of Service Prevention (CVE-2025-55184, CVE-2025-67779)
Patched a vulnerability where malicious HTTP requests could cause server processes to hang and consume excessive CPU resources
Applied comprehensive fixes to prevent denial-of-service attacks across all payload types
Medium Severity - Source Code Protection (CVE-2025-55183)
Closed a vulnerability that could expose compiled source code of Server Actions through malicious requests
Strengthened protection of business logic and application code
Background
These vulnerabilities were discovered by external security researchers through Vercel and Meta's bug bounty program as part of broader community research following the React2Shell incident. We're grateful for the security community's diligence in keeping the ecosystem safe.
Important: There is no evidence that these vulnerabilities have been exploited in the wild.
What You Need to Do
Nothing! These security patches have been automatically deployed across all Babbily infrastructure.