Critical React Server Components Vulnerability Enables Unauthenticated Remote Code Execution
A critical security vulnerability has been identified in React Server Components (RSC), posing a significant risk of unauthenticated remote code execution. This flaw, designated as CVE-2025-55182 with a maximum CVSS score of 10.0, arises from improper decoding of payloads sent to React Server Function endpoints. Even applications that do not implement these endpoints but support React Server Components may be susceptible.
The vulnerability stems from unsafe handling of serialized payloads within the React Flight protocol, leading to logical deserialization issues. An attacker can exploit this by crafting a malicious HTTP request to any Server Function endpoint, resulting in arbitrary JavaScript code execution on the server.
Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages:
– react-server-dom-webpack
– react-server-dom-parcel
– react-server-dom-turbopack
The issue has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. Security researcher Lachlan Davidson reported the flaw on November 29, 2025.
Additionally, Next.js applications using the App Router are affected by a related vulnerability, CVE-2025-66478, also with a CVSS score of 10.0. This impacts versions >=14.3.0-canary.77, >=15, and >=16, with patches available in versions 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
Other libraries bundling RSC, such as Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku, are likely affected. Reports indicate that 39% of cloud environments have instances vulnerable to these CVEs.
To mitigate risks, users should apply the provided patches promptly. Until then, deploying Web Application Firewall (WAF) rules, monitoring HTTP traffic for suspicious requests, and restricting network access to affected applications are recommended.
