Full Report
Finish reading this, then patch A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers.…
Analysis Summary
# Vulnerability: Critical RCE in React Server Components (CVE-2025-55182)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: [Not explicitly stated, but implied to be related to insecure deserialization or improper input validation leading to RCE]
## Affected Systems
- Products: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`, Next.js, react-router, waku, `@parcel/rsc`, `@vitejs/plugin-rsc`, `rwsdk`.
- Versions: React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Also affects the default configuration of dependent frameworks using these versions.
- Configurations: Primarily affects instances utilizing React Server Components (RSC). It is noted that approximately 39% of cloud environments using Next.js or React may be vulnerable.
## Vulnerability Description
The flaw is an unauthenticated Remote Code Execution (RCE) vulnerability residing in how React Server Components handle and decode payloads sent to Server Function endpoints. An unauthenticated remote attacker can craft a malicious HTTP request targeting any Server Function endpoint. When this specially crafted request is deserialized by the vulnerable React instance on the server, it results in arbitrary code execution.
## Exploitation
- Status: PoC available (Researchers confirmed high-fidelity exploitation with near 100% success rate). Exploitation in the wild is considered imminent.
- Complexity: Low. The attack requires minimal prerequisites.
- Attack Vector: Network (Unauthenticated Remote).
## Impact
- Confidentiality: High (Potential for full system compromise)
- Integrity: High (Potential for full system compromise/code execution)
- Availability: High (Potential for system denial or takeover)
## Remediation
### Patches
Immediate upgrading is strongly recommended by the React team.
- **React Server Components Packages:** Upgrade to patched versions (Specific destination version numbers were missing in the source text but upgrading is the fix).
- **Next.js:** Vercel issued an alert and patch. (Specific Next.js patched version not specified in the text, but users must apply the update provided by Vercel).
### Workarounds
- Cloudflare customers running their React application traffic through the **Web Application Firewall (WAF)** may have protection, contingent on Cloudflare's published WAF rules being active. *Note: Relying solely on WAF protection pending patching is not recommended.*
## Detection
- Indicators of Compromise (IOCs): Not explicitly detailed, but monitoring server-side execution attempts originating from HTTP requests targeting Server Function endpoints should be prioritized.
- Detection methods and tools: Security researchers (like Wiz) suggest monitoring cloud environments for vulnerable library versions. Reverse engineering of public patches is likely to yield active exploit signatures soon.
## References
- React Disclosure Advisory: hxxps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next.js Advisory (CVE-2025-66478 referenced): hxxps://vercel.com/changelog/cve-2025-55182
- Wiz Analysis: hxxps://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- Cloudflare WAF Coverage: hxxps://blog.cloudflare.com/waf-rules-react-vulnerability/