Summary
CVE–2025–55182 is a critical RCE flaw in React Server Components caused by unsafe Flight deserialization, enabling unauthenticated code execution in React 19.0–19.2.0, Next.js, and related frameworks. Active exploitation makes immediate patching critical.
Urgent Actions Required
- Upgrade React Server Components to 19.0.1, 19.1.2, or 19.2.1.
- Update dependent frameworks, including Next.js to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7; downgrade Next.js 14.3.0‑canary.77 or later canary releases to the latest stable 14.x version.
- Enable temporary request-level protections from hosting providers or WAFs.
- Review exposed RSC endpoints for potential exploitation.
Which Systems Are Vulnerable to CVE-2025-55182?
Technical Overview
- Vulnerability Type: Remote Code Execution via Unsafe Deserialization in React Server Components (Flight protocol)
- Affected Software/Versions:
- React Server Components: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 14.3.0canary.77+, 15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.2.5, 15.3.0 – 15.3.5, 15.4.0 – 15.4.7, 15.5.0 – 15.5.6, 16.0.0 – 16.0.6
- Other frameworks/plugins embedding RSC: React Router (RSC mode), Waku, RedwoodSDK, Vite RSC plugin, Parcel RSC plugin
- Attack Vector:
Network (HTTP/HTTPS, pre-authentication) - CVSS Score: 10.0
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
- Critical Security Vulnerability in React Server Components – React
- Security Advisory: CVE-2025-66478 | Next.js
- Patch FlightReplyServer with fixes from ReactFlightClient (#35277) · facebook/react@7dc903c · GitHub
- Upgrade React from `fd524fe0-20251121` to `7dc903cd-20251203` (#86771) · vercel/next.js@6ef90ef · GitHub
How Does the CVE-2025-55182 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-55182?
Vulnerability Root Cause:
This vulnerability originates from flawed handling of serialized input within the React Server Components “Flight” protocol. The server-side logic deserializes client‑supplied RSC payloads without sufficient safeguards, allowing attacker‑controlled data to influence execution flow. Because this deserialization occurs before authentication checks, a crafted request can trigger unintended server‑side execution, ultimately enabling remote code execution without requiring valid credentials.
How Can You Mitigate CVE-2025-55182?
If immediate patching is delayed or not possible:
- Downgrade any affected Next.js canary builds (14.3.0canary.77 or later) to the latest stable 14.x release.
- Rely on hosting provider request-layer protections only as a temporary risk-reduction measure while upgrading, noting these do not fix the vulnerability.
- Verify whether vulnerable React Server Component packages are actually loaded and executed in production using runtime or dependency execution visibility tools.
- Use runtime inspection capabilities provided by these tools to detect deserialization flows that result in serverside code execution during RSC processing.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Web Applications – Apps using vulnerable React 19.0–19.2.0 or frameworks bundling them (Next.js, React Router RSC, Waku, RedwoodSDK, Vite/Parcel RSC plugins).
- Server Functions/Endpoints – Any exposed endpoints processing serialized RSC payloads.
Business-Critical Systems at Risk:
- Production Web Apps – Any application executing vulnerable RSC packages may face remote code execution.
- Backend Services – Server logic invoked via RSC endpoints could be fully compromised.
- Cloudhosted Applications – Servers could be abused to execute arbitrary commands, access environment variables, or deploy malicious software.
Exposure Level:
- Internet-facing applications – Public RSC endpoints are fully exploitable without authentication.
- Internal or staging servers – If vulnerable RSC packages are deployed, they remain at risk even if not publicly exposed.
Will Patching CVE-2025-55182 Cause Downtime?
Patch application impact: Fixing CVE-2025-55182 requires upgrading React Server Components and affected frameworks to patched versions, usually involving a rebuild and redeploy with minimal or no downtime.
How Can You Detect CVE-2025-55182 Exploitation?
Exploitation Signatures:
- HTTP POST requests are sent to React Server Component or Server Function endpoints.
- Multipart form-data requests carrying crafted Flight payloads.
- Payloads containing attacker-controlled objects that mimic internal RSC “Chunk” structures.
Indicators of Compromise (IOCs/IOAs):
- Server-side deserialization triggering unexpected Promise resolution behavior.
- Invocation of attacker-controlled logic during RSC payload processing.
- Evidence of arbitrary JavaScript execution within the server process (e.g., file creation or command execution).
Behavioral Indicators:
- Deserialization flows reaching server execution paths without authentication.
- Internal RSC parsing logic resolves malformed or unexpected objects as valid Chunks.
- Server-side functions are being invoked without legitimate client-side interaction.
Remediation & Response
Remediation Timeline:
- Immediate:
Upgrade React Server Components and affected frameworks like Next.js to their patched versions. - Short term:
Downgrade any affected Next.js canary builds (14.3.0-canary.77 or later) to the latest stable 14.x release if upgrades are not yet applied. - Post-patch:
Confirm that no vulnerable RSC packages remain loaded or executed in production by reviewing dependency execution using the referenced runtime visibility tools.
Incident Response Considerations:
- Treat any unpatched, internet-facing RSC endpoint as potentially compromised due to public exploit availability and unauthenticated attack paths.
- Use runtime inspection tools to identify deserialization flows that resulted in server-side code execution.
- Review server activity for signs of unexpected JavaScript execution triggered during RSC payload handling.
- After patching, continue monitoring RSC execution paths to ensure vulnerable deserialization behavior is no longer reachable.
Where Can I Find More Information on CVE-2025-55182?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 10.0 | Maximum severity rating, indicating complete system compromise potential |
| Attack Vector | Network | Exploitable remotely through crafted HTTP requests to exposed RSC endpoints |
| Attack Complexity | Low | Exploitation relies on protocol logic abuse and does not require special conditions |
| Privileges Required | None | No authentication, credentials, or prior access needed |
| User Interaction | None | Exploitation occurs without any user action |
| Scope | Changed | Successful exploitation allows attacker-controlled execution beyond intended component boundaries |
| Confidentiality Impact | High | Arbitrary server-side execution enables access to sensitive data and secrets |
| Integrity Impact | High | Attacker can execute arbitrary code and modify server-side state |
| Availability Impact | High | Server-side code execution can disrupt or fully compromise application availability |
