Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components
Ddos 
The React Team has issued an emergency security advisory following the discovery of a catastrophic vulnerability affecting the modern React ecosystem. The flaw, which carries a maximum severity rating, allows unauthenticated attackers to execute arbitrary code on servers running React Server Components (RSC).
The vulnerability, discovered by security researcher Lachlan Davidson, targets the communication layer between the client and the server.
Assigned the identifier CVE-2025-55182, this vulnerability has been rated with a CVSS score of 10.0. This score is reserved for the most critical security flaws—those that are easy to exploit, require no authentication, and result in total system compromise.
The scope of the threat is particularly alarming because it extends beyond active usage. Developers might assume they are safe if they aren’t actively using Server Functions, but the React Team warns otherwise: “Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.”
The vulnerability lies in the deserialization process—how React translates data sent from the client back into executable actions on the server.
Under normal operations, React translates client requests into HTTP requests, which the server then translates into function calls. However, a flaw in this decoding process opens the door for malicious injection.
“An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.” This allows attackers to bypass security controls and run commands directly on the host server.
The issue stems from specific underlying packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Affected versions range from 19.0 through 19.2.0.
Because these packages are foundational, the vulnerability cascades down to major frameworks and bundlers. The advisory notes that “the following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.”
The React Team and framework maintainers have released patches, and immediate upgrades are mandatory to secure applications.
For React Core Packages: A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1.
For Next.js Users: Users must upgrade to the latest patched version in their specific release line immediately:
- v15.0.x → Install next@15.0.5
- v15.1.x → Install next@15.1.9
- v16.0.x → Install next@16.0.7
- Note: Users on Next.js 14.3.0-canary.77 or later should downgrade to next@14.
For React Router & Other Frameworks: Users utilizing unstable RSC APIs in React Router, Waku, or Redwood SDK should run npm install updates for react, react-dom, and their specific server-dom packages (webpack/parcel) to the latest versions immediately.
Donate