Full Report
Detect and mitigate CVE-2025-55182, a critical RCE vulnerability in React. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Critical RCE in React Server Components (Flight Protocol)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Critical (Score withheld, but context implies maximum severity)
- CWE: Logical Deserialization Vulnerability (Insecure Deserialization)
## Affected Systems
- Products: React Server Components (RSC) implementation, specifically the "Flight" protocol, React 19 ecosystem, and frameworks that implement RSC.
- Versions: Affected versions are not explicitly listed but rely on vulnerable `react-server` package implementation. Users should consult the [React advisory](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for specific version details.
- Configurations: Default configurations of affected applications are vulnerable.
Frameworks explicitly named as likely affected include:
* Next.js
* Vite RSC plugin
* Parcel RSC plugin
* React Router RSC preview
* RedwoodJS
* Waku
## Vulnerability Description
The vulnerability resides in the `react-server` package and its handling of the React Server Components (RSC) "Flight" protocol. It is a logical deserialization flaw where the server fails to adequately validate specially crafted, malformed RSC payloads. This improper handling allows attacker-controlled data to influence server-side execution logic, leading to the execution of privileged JavaScript code on the server (RCE).
## Exploitation
- Status: High fidelity exploitation demonstrated; unauthenticated RCE is achievable.
- Complexity: Low (Requires only a specially crafted HTTP request).
- Attack Vector: Network (Unauthenticated remote access).
## Impact
- Confidentiality: High (Potential access to server data/configuration via RCE).
- Integrity: High (Ability to execute arbitrary code on the server).
- Availability: High (Potential for service disruption via RCE).
## Remediation
### Patches
- Install hardened versions of React and relevant dependencies. Organizations must upgrade immediately based on the official React advisory.
- For other RSC-enabled frameworks (e.g., Redwood, Waku), check their official channels for updates regarding the bundled `react-server` version and apply them instantly.
### Workarounds
- No specific workarounds are detailed other than immediate patching, emphasizing that upgrading is the **only definitive mitigation**.
## Detection
- Indicators of Compromise: Unexplained execution of JavaScript on the backend server originating from incoming HTTP requests processed via the RSC flow.
- Detection methods and tools: Wiz customers can utilize the pre-built query and advisory in the Wiz Threat Center to identify vulnerable instances. General detection involves monitoring unusual execution paths or command execution attempts tied to serialized RSC processing endpoints.
## References
- Vendor Advisories: [React blogpost](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)