Critical React RSC Vulnerability (CVE-2025-55182) Exposes Millions of Apps to Remote Code Execution — Patch Immediately

What is the React RSC vulnerability?

React Server Components (RSC) move part of the rendering logic from the browser to the server and stream pre‑rendered UI to clients. In certain React server packages, researchers found that the server unsafely deserializes payloads sent to special Server Function endpoints. When an attacker sends a carefully crafted HTTP request, this deserialization bug can be abused to execute arbitrary code on the server with the same privileges as the application process.

The vulnerability has been rated 10.0/10 (critical) because it is:

• Remote – exploitable over the network via HTTP.
• Unauthenticated – no login or valid session required.
• High‑impact – leads directly to arbitrary code execution and full application takeover.

Affected React packages and versions

The bug affects several React Server DOM packages in the 19.x line. Specifically, the following packages and versions are vulnerable:

• react-server-dom-parcel: 19.0, 19.1.0, 19.1.1, 19.2.0
• react-server-dom-turbopack: 19.0, 19.1.0, 19.1.1, 19.2.0
• react-server-dom-webpack: 19.0, 19.1.0, 19.1.1, 19.2.0

Crucially, an application may still be vulnerable even if it does not expose explicit Server Function endpoints, as long as it supports React Server Components in its stack. For that reason, the React team is urging all administrators and developers using these packages to upgrade immediately to patched versions.

Impact on frameworks and the wider ecosystem

React Server Components are embedded inside many popular frameworks and build tools. Because of this, the vulnerability cascades across much of the modern JavaScript ecosystem. Frameworks and tools that may be impacted include:

• Next.js
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk
• And other RSC‑enabled frameworks and bundlers

Cloud security researchers estimate that:

• React and Next.js appear in a very large share of cloud environments, with Next.js alone present in a majority of them.
• A significant portion of those environments expose public applications, meaning a large fraction of Internet‑facing services may be vulnerable if unpatched.

Given the popularity of React and Next.js for production web applications, this flaw likely affects millions of websites, from small projects to major enterprise deployments.

Real‑world exploitability

Security researchers who analyzed CVE‑2025‑55182 report that exploitation is straightforward:

• An attacker only needs to send a specially crafted HTTP request to a vulnerable Server Function endpoint (or to any route that passes such payloads to the RSC stack).
• When the server decodes and deserializes this payload, the flaw allows the attacker to trigger remote code execution (RCE).
• In testing, exploit attempts showed a near‑100% success rate, even against default configurations of popular frameworks.

Proof‑of‑concept (PoC) exploit code has already appeared on public code‑hosting platforms, which significantly lowers the bar for attackers and increases urgency for defenders.

Vendor and cloud provider responses

Multiple stakeholders in the ecosystem have issued advisories and started rolling out mitigations:

• React Team
  • Published a security advisory describing the vulnerability and listing fixed versions.
  • Strongly recommends upgrading any affected React Server DOM packages immediately, even if server functions are not in active use.
• Next.js maintainers
  • Released a separate security bulletin for Next.js users.
  • Provided patched framework versions and instructions for upgrading applications that rely on React Server Components or server actions.
• Cloud providers and security vendors
  • Some providers (for example, major CDN/WAF vendors) have deployed web application firewall (WAF) rules to block exploit attempts at the edge.
  • While these protections can deflect some attacks, they are considered temporary mitigations only and cannot replace patching at the application level.
• Meta and vulnerability databases
  • Meta’s security team confirmed this as a pre‑authentication remote code execution issue affecting React Server Components.
  • National vulnerability tracking databases have published detailed entries describing the flaw’s root cause: unsafe deserialization of HTTP payloads for Server Function endpoints.

What administrators and developers should do now

Because this is an easily exploitable RCE in a widely deployed stack, immediate action is essential. The following steps provide a practical response checklist:

1. Identify if you are affected
   • Check your package.json and lockfiles (package-lock.json, yarn.lock, or pnpm-lock.yaml) for any of:
     • react-server-dom-parcel
     • react-server-dom-turbopack
     • react-server-dom-webpack
   • Note the installed versions; if they are 19.0, 19.1.0, 19.1.1, or 19.2.0, your environment is vulnerable.
   • If using frameworks like Next.js or others that support RSC, consult their advisories to see which framework versions bundle vulnerable React components.
2. Upgrade to patched versions immediately
   • Update React and the affected server DOM packages to the latest hardened versions released after the disclosure.
   • If you are using a framework (such as Next.js), upgrade the framework to the patched release specified in its security advisory.
   • Rebuild and redeploy all production services after updating dependencies.
3. Apply short‑term mitigations where possible
   • If immediate upgrades are not possible, consider:
     • Temporarily disabling React Server Components or server actions.
     • Restricting access to server function routes behind VPNs, IP allowlists, or authentication layers.
     • Enabling WAF rules designed to detect and block suspicious RSC payloads.
   • Treat these measures as stopgaps, not a replacement for patching.
4. Monitor logs and investigate potential compromise
   • Review HTTP access logs for unusual requests targeting RSC or server function routes.
   • Look for signs of exploitation: unexpected process behavior, unknown reverse shells, or suspicious file changes on servers.
   • If compromise is suspected, follow your incident response plan: isolate systems, rotate secrets, and rebuild from trusted images.
5. Harden your pipeline going forward
   • Add security scanning tools that:
     • Track vulnerable dependencies by CVE.
     • Alert you when critical issues like CVE‑2025‑55182 affect your stack.
   • Implement routine dependency reviews and scheduled patch cycles, especially for core frameworks such as React and Next.js.
   • Consider enabling software composition analysis (SCA) and integrating it with CI/CD pipelines.

Why this vulnerability matters for the web at large

CVE‑2025‑55182 highlights the systemic risk that arises when complex server‑side features are added to widely used frontend libraries. Server Components blur the line between client and server, and any flaw in how they process data can have serious security consequences. In this case, a single bug in how payloads are deserialized has translated into:

• A critical, unauthenticated RCE vulnerability.
• Affected surface area spread across numerous frameworks and tools.
• A high probability that attackers will incorporate live exploits into mass‑scanning campaigns.

For organizations, this incident is a reminder that:

• Modern JavaScript applications are not just “frontend code”; they often handle sensitive logic on the server.
• Keeping framework and library dependencies up to date is as important as patching operating systems and databases.
• Security‑by‑design reviews are crucial whenever new server‑side features—such as RSC or server actions—are introduced into production stacks.