/> Update cookies preferences
Skip to main content
New! Read the Abstract Security Technical Product Brief by Cybersecurity Insiders

Critical React Server Components RCE (CVE-2025-55182): What You Need to Patch Now

Critical React Server Components Vulnerability: CVE-2025-55182 Enables Unauthenticated RCE

Abstract Security Threat Research Organization (ASTRO)
Security
December 3, 2025

Background

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC) rated CVSS 10.0. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as frameworks that implement RSC, most notably Next.js versions 14.3.0-canary through 16.x.

The vulnerability was discovered and reported by security researcher Lachlan Davidson on November 29, 2025, through Meta's Bug Bounty program. By November 30, Meta security researchers confirmed the issue, and the React team immediately began coordinating with affected hosting providers and open-source projects to roll out fixes before public disclosure.

The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to achieve full remote code execution. Critically, the vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately exploitable without any misconfigurations.

Technical Details

The vulnerability resides in the react-server package and its handling of the RSC "Flight" protocol specifically in how React decodes payloads sent to React Server Function endpoints. The flaw is characterized as a logical insecure deserialization vulnerability where the server processes RSC payloads without proper validation.

React Server Functions allow clients to call functions on a server by translating client requests into HTTP requests that are forwarded to server-side endpoints. On the server, React deserializes these HTTP requests into function calls and returns data to the client. An attacker can craft a malicious, malformed payload that, when deserialized by React, fails structural validation checks. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of arbitrary JavaScript code with server privileges.

The vulnerability affects not just applications with explicit React Server Function endpoints, but any application that supports React Server Components. This broad attack surface is particularly concerning given that many developers may not realize their applications are vulnerable simply by using RSC features.

The fix, merged in pull request #35277, synchronizes the FlightReplyServer (client-to-server) implementation with improvements previously made to ReactFlightClient (server-to-client). These changes address deep resolution of cycles and deferred error handling issues that enabled the insecure deserialization path.

Affected Products and Exploitation

Vulnerable Versions:

  • React: 19.0, 19.1.0, 19.1.1, 19.2.0
  • Next.js: 14.3.0-canary, 15.0 through 15.5.6, 16.0 through 16.0.6
  • Any framework bundling react-server: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, Waku

Patched Versions:

  • React: 19.0.1, 19.1.2, 19.2.1
  • Next.js: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Indicators of Compromise

Organizations should immediately review logs for exploitation attempts targeting React Server Function endpoints. Exploitation leverages prototype pollution in JSON payloads sent to common endpoints including /_next/server/endpoint (Next.js) and /react-server-function (generic RSC implementations).

Attack Signatures:

  • POST requests with JSON payloads containing __proto__, constructor, or prototype keys
  • Requests to server function endpoints with unusual, nested object structures
  • 200 OK responses to malformed payloads that should have returned errors

Log Search Queries:

  • Web server logs: POST AND (/_next/server/ OR /react-server-function) AND __proto__
  • Application logs: Errors containing "prototype" or "constructor" during deserialization
  • Process logs: Unexpected child processes spawned by Node.js/web server

Post-Exploitation Indicators:

  • Unexpected outbound connections from web application servers
  • New files in web directories without corresponding deployments
  • Unusual process executions from Node.js processes
  • Lateral movement attempts from web server infrastructure

Organizations identifying these indicators should immediately initiate incident response procedures, including system isolation and comprehensive forensic analysis.

Recommendations

Organizations using React Server Components must take immediate action:

Immediate Actions:

  • Upgrade React to versions 19.0.1, 19.1.2, or 19.2.1 immediately. This is the only definitive mitigation.
  • Upgrade Next.js to patched versions (14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) based on your current version.
  • For other RSC-enabled frameworks (RedwoodJS, Waku, React Router, etc.), check official channels for updates and patch immediately.

Risk Assessment:

  • Audit all applications to identify those using React Server Components or Server Functions.
  • Review application deployment architecture to determine if WAF protections are in place.
  • If using Cloudflare, verify that Managed Rules are enabled (rule IDs 33aa8a8a948b48b28d40450c5fb92fba for Managed Ruleset, 2b5d06e34a814a889bee9a0699702280 for Free Ruleset).

Detection and Monitoring:

  • Deploy real-time monitoring for POST requests to React Server Function endpoints (/_next/server/endpoint, /react-server-function, and any custom server action routes).
  • Implement content inspection for JSON payloads containing __proto__, constructor, or prototype keys in requests to server function endpoints.
  • Enable comprehensive logging for all web application traffic, including request payloads where feasible, with specific attention to Content-Type: application/json requests.
  • Implement alerting for server-side errors, unusual code execution patterns, and unexpected outbound connections from web processes.
  • Review historical web server logs for POST requests to server function endpoints that may indicate reconnaissance or exploitation attempts prior to patching.
  • Establish baseline behavior for legitimate server function usage to identify anomalous request patterns.

Response Planning:

  • Prepare incident response procedures for potential exploitation, including forensic log collection and system isolation steps.
  • Review code execution context for all React Server Functions to understand potential impact of successful RCE.
  • Consider temporary network segmentation for vulnerable applications that cannot be immediately patched.

Conclusion

CVE-2025-55182 represents a critical vulnerability in one of the most widely deployed web frameworks in the modern JavaScript ecosystem. With a CVSS score of 10.0, unauthenticated remote code execution, and a default-vulnerable configuration, this flaw demands immediate attention from every organization running React Server Components.

Security teams must recognize that modern web frameworks, while enabling rapid development, introduce complex server-side execution contexts that expand the attack surface significantly. React Server Components blur the line between client and server, and vulnerabilities in this boundary represent critical risks.

Organizations should treat this disclosure as a forcing function to audit their entire application stack for similar server-side deserialization vulnerabilities. The patterns that enabled this React vulnerability, insufficient validation of client-controlled data, complex deserialization logic, and privileged execution contexts exist across many frameworks and custom application code. Comprehensive logging, real-time monitoring, and detection rules tuned to identify deserialization attacks must become standard practice.

Show Transcript
Get In Touch