Vulnerability AlertDecember 3, 20256 min read

Critical Remote Code Execution Vulnerability in React Server Components

React releases emergency patches for CVE-2025-55182, a maximum severity vulnerability allowing unauthenticated remote code execution in React Server Components, affecting Next.js and other major frameworks.

On December 3, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. With a maximum CVSS score of 10.0, this represents one of the most severe vulnerabilities ever discovered in the React ecosystem. The flaw affects React 19.x server components and impacts major frameworks including Next.js, React Router, Waku, Expo, and others.

The vulnerability allows unauthenticated attackers to execute arbitrary code on servers running affected versions by sending specially crafted HTTP requests to Server Function endpoints. Patches have been released, and all users running React Server Components in production must upgrade immediately.

What Happened

The Vulnerability

CVE-2025-55182 is a deserialization vulnerability in the Server Function endpoint implementation of React Server Components. When processing incoming requests, the vulnerable code deserializes user-controlled payload data without proper validation, allowing attackers to inject malicious code that executes on the server with the privileges of the application.

Affected Packages and Versions

The vulnerability exists in three React server packages:

  • react-server-dom-webpack: versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-parcel: versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-turbopack: versions 19.0.0, 19.1.0, 19.1.1, 19.2.0

Attack Vector

Attackers can exploit this vulnerability by crafting malicious HTTP POST requests to Server Function endpoints exposed by affected applications. No authentication is required, and successful exploitation grants full code execution capabilities on the target server. This makes the vulnerability particularly dangerous for internet-facing applications.

Impact and Scope

The implications of CVE-2025-55182 are severe and far-reaching:

  • Maximum severity rating - CVSS 10.0 indicates this vulnerability requires no privileges, no user interaction, and has complete impact on confidentiality, integrity, and availability
  • Next.js ecosystem at risk - All Next.js 15.x through 16.x versions using Server Components are vulnerable, affecting thousands of production applications
  • Multi-framework impact - React Router, Waku, Expo, Redwood SDK, and various Vite and Parcel plugins are all affected
  • Unauthenticated exploitation - No credentials or user interaction required makes this trivially exploitable by any remote attacker
  • Complete server compromise - Successful exploitation provides full code execution, enabling data theft, ransomware deployment, persistence mechanisms, and lateral movement

Affected Frameworks and Applications

Applications using Server Components through these frameworks are vulnerable:

  • Next.js: All versions 15.x, 16.0.0-canary.x, and 16.0.0-rc.x must upgrade immediately
  • React Router: Applications using the Remix/React Router framework with Server Components
  • Waku: Server-side rendering framework built on React Server Components
  • Expo SDK: Mobile applications using Expo with server-side rendering
  • Redwood SDK: Full-stack React framework with server-side capabilities
  • Build tool plugins: @vitejs/plugin-react, vite-plugin-react-server-components, @parcel/runtime-react-refresh

Immediate Actions Required

  1. Upgrade React packages immediately - Update to patched versions: 19.0.1, 19.1.2, or 19.2.1 depending on your current version. Run npm update react react-dom react-server-dom-webpack or equivalent for your package manager.
  2. Update framework versions - Next.js users should upgrade to versions 15.1.4, 15.2.0-canary.41, 16.0.0-canary.7, or 16.0.0-rc.1 which include the patched React versions.
  3. Rebuild and redeploy - After updating dependencies, rebuild your application and deploy immediately to production. This is a critical security release that cannot wait for normal release cycles.
  4. Audit Server Function usage - Review all Server Functions and Server Actions in your codebase for additional security hardening opportunities.
  5. Monitor for exploitation attempts - Review server logs for suspicious POST requests to Server Function endpoints. Look for unusual payloads or request patterns targeting these endpoints.
  6. Implement network controls - If immediate patching is not possible, consider temporarily restricting access to Server Function endpoints through WAF rules or network ACLs until patches can be deployed.

Critical Security Notice

This vulnerability allows complete server compromise without authentication. Any application running React Server Components with vulnerable versions should be considered at immediate risk of exploitation. Patching must be treated as an emergency security incident requiring immediate action outside normal deployment schedules.

Timeline

  • November 29, 2025: Vulnerability discovered and reported to React team by security researcher Lachlan Davidson
  • December 1, 2025: React team validates vulnerability and develops patches
  • December 3, 2025: Coordinated disclosure with patches released for all affected versions
  • December 3, 2025: Next.js and other framework vendors release updated versions incorporating the fix

How Prismor Helps Organizations Respond to Critical Vulnerabilities

When critical vulnerabilities like CVE-2025-55182 emerge, organizations need to identify affected systems and coordinate patching across their entire application portfolio. Prismor provides:

  • Automated Dependency Detection: Instantly identify all applications using React Server Components across your organization. Know which projects are running vulnerable versions of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack before attackers find them.
  • Real-Time Vulnerability Intelligence: Receive immediate alerts when critical CVEs affecting your technology stack are disclosed. Prismor correlates new vulnerabilities against your complete software inventory within minutes of public disclosure.
  • Framework and Dependency Mapping: Track not just direct dependencies but also framework versions. Understand which Next.js, React Router, or other framework versions are deployed and how they relate to underlying React versions.
  • Coordinated Patch Management: Orchestrate emergency patching across development, staging, and production environments. Track which teams have upgraded, which systems remain vulnerable, and ensure complete coverage.
  • Compliance and Audit Trails: Document your response to critical security incidents with timestamped records of vulnerability identification, notification, patching, and verification. Meet regulatory requirements under EU CRA, NIS2, and other frameworks.
  • Continuous SBOM Monitoring: Maintain up-to-date Software Bills of Materials for all applications. When the next critical vulnerability emerges, you will have complete visibility into your exposure within minutes, not days.

CVE-2025-55182 demonstrates why comprehensive software supply chain visibility is no longer optional. With Prismor, you transform vulnerability response from a reactive scramble into a systematic, auditable process that protects your organization and proves compliance to regulators and customers.