Critical Vulnerability Report: React Server Components RCE (CVE-2025-55182)
1. Executive Summary
CVE-2025-55182 is a Critical (CVSS 10.0) Pre-auth Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC). The flaw is a Deserialization of Untrusted Data (CWE-502) issue in React's "Flight" protocol.
| Component | Vulnerability Type | CVSS Score | Impact |
|---|---|---|---|
| React Server Components (19.0.0 through 19.2.0) | Deserialization of Untrusted Data (CWE-502) | 10.0 (Critical) | Unauthenticated Remote Code Execution on the server. |
The vulnerability allows an unauthenticated attacker to send a specially crafted HTTP request to any exposed React Server Function endpoint. The server's unsafe deserialization process then executes the malicious payload as code, leading to an immediate and complete compromise of the server's Confidentiality, Integrity, and Availability.
The primary and definitive remediation is to apply the vendor patches immediately, updating React Server Components packages (e.g., react-server-dom-webpack) to v19.2.1 or later, and updating related frameworks like Next.js App Router.
2. Basic Identification & Classification
📝 Key Details
| Category | Detail |
|---|---|
| CVE ID | CVE-2025-55182 |
| Name | React Server Components Remote Code Execution (RSC Deserialization Flaw) |
| CWE Type | CWE-502 – Deserialization of Untrusted Data |
🛑 Affected Products & Versions
The flaw specifically impacts the server-side runtime for React Server Components:
| Product/Package | Vulnerable Versions | Fixed Version |
|---|---|---|
| React RSC Packages | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.2.1+ (for all react-server-dom-* packages) |
| Next.js App Router | All 15.x and 16.x versions using affected React 19 RSC | 15.0.5+, 15.5.7+, or 16.0.7+ |
| Other Frameworks | Any framework bundling affected React RSC (e.g., RedwoodJS, Waku, certain Vite/Parcel plugins). | Update to versions containing the patched React RSC runtime. |
3. Technical Description
The Deserialization Flaw
The vulnerability resides in how React handles data passed to its Server Function endpoints via the "Flight" protocol.
- Server Function Request: An application receives a POST request intended for a Server Function, which contains a serialized data payload from the client.
- Unsafe Deserialization: React's RSC runtime (specifically in the affected versions) attempts to decode and deserialize this payload on the server without adequate security validation.
- Code Execution: The deserialization process is flawed, allowing a maliciously structured payload to escape sanitization. This causes the server to execute the attacker's embedded privileged JavaScript code instead of safely processing the data.
🗺 Attack Mapping: Unauthenticated RCE
The attack vector is straightforward and requires no prior access or credentials.
- Attacker Action: Sends a specially crafted HTTP POST request to any exposed React Server Function endpoint (e.g., an endpoint handling a form submission or a server action).
- Vulnerability Triggered: React attempts to deserialize the malformed request body.
- Result: The attacker's code runs with the privileges of the server process, leading to full system compromise.
Crucially: If your application does not use server-side React features (i.e., it is client-only), it is not affected.
4. Risk Assessment (CVSS v3.1)
📈 CVSS Details
| Metric | Value |
|---|---|
| Base Score | 10.0 (Critical) |
| Vector String | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
The score is the maximum possible due to the factors below:
- AV:N (Network): Exploitable remotely over the network.
- AC:L (Low Complexity): The attack is straightforward.
- PR:N (No Privileges): No authentication or credentials are required.
- UI:N (No User Interaction): No user action is needed; the server is directly attacked.
💥 Impact (CIA)
A successful exploit grants the attacker full control over the compromised server:
- Confidentiality (High): Attacker can read sensitive files, source code, and secrets.
- Integrity (High): Attacker can modify application logic, data, and configurations.
- Availability (High): Attacker can terminate services or disrupt the server.
🛡 Exploit Status
- The vulnerability was responsibly disclosed.
- No public Proof-of-Concept (PoC) exploit has been released, and no in-the-wild attacks have been publicly observed as of December 2025.
- However, due to the CVSS 10.0 rating and network accessibility, it must be treated as easily exploitable once technical details are known.
5. Remediation and Mitigation
✅ Primary Solution (Patch Immediately)
The only definitive fix is to update your dependencies to the patched versions:
- Update React RSC Packages: Upgrade the core Server Component packages (
react-server-dom-webpack,react-server-dom-parcel,react-server-dom-turbopack) to patched versions19.0.1,19.1.2, or19.2.1. - Update Next.js: Users of the Next.js App Router must upgrade their framework version as advised by Vercel (e.g., 15.0.5+, 15.5.7+, or 16.0.7+).
🛠 Temporary Mitigations/Workarounds
If immediate patching is not possible, take these steps to restrict exposure:
- Implement WAF Protection: Enable or configure your Web Application Firewall (WAF) to inspect and block malicious, malformed payloads directed at React Server Function endpoints.
- Restrict Network Access: Use network ACLs or firewalls to limit which IP addresses or networks can access your server's public endpoints.
- Disable/Remove RSC: Temporarily disable or remove the use of Server Component features and Server Functions from the application. An application that does not use RSC is not vulnerable.
