On December 3, 2025, the React team publicly disclosed CVE-2025-55182, a critical vulnerability in React Server Components that allows unauthenticated remote code execution. The vulnerability stems from insecure deserialization in the react-server package's handling of the React Server Components "Flight" protocol.

The vulnerability carries a CVSS score of 10.0 (Critical). An attacker can exploit this flaw by sending a specially crafted HTTP request to any React Server Function endpoint, achieving code execution without authentication. 

Applications using React Server Components are at risk, even if they don't explicitly implement React Server Function endpoints. The vulnerability affects default configurations of popular frameworks, including Next.js (tracked as CVE-2025-66478) and others that bundle the react-server implementation.

Applications without server-side React code or frameworks that don't support React Server Components are not affected.

Affected Versions

The following packages and versions contain the vulnerability:

React:

• react: 19.0.0, 19.1.0, 19.1.1, 19.2.0‍
• react-dom: 19.0.0, 19.1.0, 19.1.1, 19.2.0‍
• react-server-dom-parcel: 19.1.0-19.1.1, 19.2.0 (including canaries)‍
• react-server-dom-turbopack: 19.0.0, 19.1.0-19.1.1, 19.2.0 (including canaries)‍
• react-server-dom-webpack: 19.0.0, 19.1.0-19.1.1, 19.2.0 (including canaries)

Any framework or library bundling the react-server implementation is potentially vulnerable, notably Next.js.

Next.js: 14.3.0-canary, 15.x, and 16.x (App Router)

Additional frameworks:

• React Router (RSC preview)
• Waku
• Parcel RSC plugin (@parcel/rsc)
• Vite RSC plugin (@vitejs/plugin-rsc)
• RedwoodJS (rwsdk)

Technical Analysis

Discovery and Disclosure Timeline

• November 29, 2024: Lachlan Davidson reported the vulnerability through Meta's Bug Bounty program
• November 30: Meta security researchers confirmed the issue and began coordinating with the React team
• December 1: Fix developed; coordination began with hosting providers and open source projects
• December 3: Patched versions released to npm and public disclosure

How the Vulnerability Works

React Server Functions enable clients to call functions on the server. React provides integration points that frameworks and bundlers use to run React code on both client and server. The framework translates client requests into HTTP requests forwarded to the server, where React translates the HTTP request into a function call.

The vulnerability exists in how the react-server package processes React Server Components payloads via the "Flight" protocol. This is a logically insecure deserialization vulnerability where the server fails to properly validate the structure of incoming RSC payloads.

When the server receives a malformed, attacker-crafted payload, validation failures allow attacker-controlled data to influence server-side execution logic. This results in the execution of privileged JavaScript code in the server context.

The attack vector is both remote and unauthenticated. An attacker needs only network access to send a crafted HTTP request to any Server Function endpoint. The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions.

Scope and Impact

The combination of critical severity, ease of exploitation, and widespread framework adoption creates significant exposure. The vulnerability affects applications in their default configuration, requiring no special setup or edge-case scenarios for exploitation.

React Server Components represent a significant architectural pattern in modern React applications, particularly with the adoption of Next.js App Router and similar server-centric architectures. The penetration of this pattern across the React ecosystem means the vulnerability has broad reach.

Detection and Mitigation

Determine If You're Affected

Check your application dependencies:

1. Review package.json and package-lock.json for React version 19.0, 19.1.0, 19.1.1, or 19.2.0
2. Check Next.js versions between 14.3.0-canary and 16.x (with App Router enabled)
3. Identify if your application uses React Server Components or any RSC-enabled framework
4. Verify whether your application implements server-side React code

Applications that run React exclusively on the client, or that don't use frameworks supporting React Server Components, are not vulnerable.

Immediate Actions

Upgrade to patched versions immediately. This is the only definitive mitigation.

React:

• 19.0.1
• 19.1.2
• 19.2.1

Next.js:

• 14.3.0-canary.88
• 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
• 16.0.7

For other RSC-enabled frameworks (RedwoodJS, Waku, Parcel, Vite RSC), consult official project channels for updates and apply patches immediately upon availability.

Temporary Protections

While patches are applied:

• Deploy Web Application Firewall rules if available. 
• Monitor HTTP traffic to Server Function endpoints for suspicious or malformed requests
• Consider temporarily restricting network access to affected applications during patch deployment if business requirements allow

Looking Forward

The React team has indicated that additional technical details about the vulnerability will be released after the fix rollout is complete. Security teams should monitor official React channels for these updates, which may inform additional hardening measures or detection strategies.

Framework maintainers and the broader React ecosystem continue to assess impact and coordinate patches. Organizations using less common RSC-enabled tools should proactively verify patch status rather than waiting for notifications.

References

• CVE-2025-55182
• React Official Security Advisory
• Wiz Research: Critical Vulnerabilities in React and Next.js

Acknowledgements

Lachlan Davidson discovered and responsibly disclosed this vulnerability through Meta's Bug Bounty program, working directly with Meta security researchers and the React team to develop and validate the fix. The coordinated disclosure process involved hosting providers and open source projects to enable rapid ecosystem-wide patching.