Full Report
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in React Server Components (RSC)
## CVE Details
- CVE ID: CVE-2025-55182 (Also associated with CVE-2025-66478 for Next.js)
- CVSS Score: 10.0 (Critical)
- CWE: Logical Deserialization (Inferred)
## Affected Systems
- Products: React Server Components (RSC) implementations, specifically the npm packages:
- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
- Versions:
- React: 19.0, 19.1.0, 19.1.1, and 19.2.0.
- Next.js (App Router): `>=14.3.0-canary.77`, `>=15`, and `>=16`.
- Configurations: Any application supporting React Server Components, even if not explicitly implementing React Server Function endpoints. Libraries bundling RSC (e.g., Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, Waku) are also likely affected.
## Vulnerability Description
The vulnerability is a critical deserialization flaw present in how React decodes payloads sent to React Server Function (RSF) endpoints. This flaw allows an unauthenticated attacker to craft a malicious HTTP request containing a specially crafted RSC payload. When React attempts to deserialize this payload on the server, it executes arbitrary JavaScript code. This results in unauthenticated Remote Code Execution (RCE) on the server hosting the application.
## Exploitation
- Status: PoC available (Implied critical nature and immediate vendor alert suggest active analysis/weaponization efforts following disclosure, though exploitation in the wild status is not explicitly stated, it should be treated as actively exploitable).
- Complexity: Low (Implied by "unauthenticated remote code execution").
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary code execution allows access to server data)
- Integrity: High (Arbitrary code execution allows modification of system state/data)
- Availability: High (Arbitrary code execution can lead to server shutdown or compromise)
## Remediation
### Patches
Users must urgently upgrade to patched versions:
- **React**: 19.0.1, 19.1.2, or 19.2.1.
- **Next.js**: 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5.
### Workarounds
No specific workarounds were detailed in the provided context, but given the severity and widespread impact across RSC deployments, immediate patching is strongly advised over relying on temporary mitigations. Ensuring only necessary endpoints are exposed could reduce immediate risk if partial patching is impossible.
## Detection
- Indicators of Compromise: Analysis of HTTP requests targeting RSC or Server Function endpoints for anomalous or maliciously serialized payloads.
- Detection methods and tools: Security monitoring tools should flag unusual deserialization attempts or code execution signals originating from request handling functions associated with RSC processing logic. Cloud security posture management tools (like Wiz) have identified high-risk exposure (39% of cloud environments).
## References
- Vendor Advisory (React): hxxps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next.js Advisory: hxxps://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp