Developers using React Server Components (RSC) are facing a critical security threat following the disclosure of a maximum-severity vulnerability. This flaw, identified as CVE-2025-55182, could allow attackers to execute arbitrary code remotely on vulnerable servers, posing a significant risk to applications built with this technology. The React Team confirmed the vulnerability’s severity, emphasizing the need for immediate attention from affected users.
The discovery of CVE-2025-55182 was announced on December 3, 2025, by the React Team, with a CVSS score of 10.0, indicating the highest possible impact. The vulnerability arises from an issue in how React decodes payloads sent to React Server Function endpoints. Cloud security firm Wiz highlighted that this is a logical deserialization vulnerability, meaning an unauthenticated attacker could send a specially crafted HTTP request to a Server Function endpoint. When processed by React, this request could lead to the execution of malicious JavaScript code on the server.
Critical React Server Components (RSC) Vulnerability and Its Implications
The vulnerability impacts several npm packages that bundle React Server Components, including `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. Specifically, versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of these packages are affected. The React Team has released patched versions, 19.0.1, 19.1.2, and 19.2.1, recommending that all users of vulnerable packages upgrade immediately.
New Zealand-based security researcher Lachlan Davidson is credited with discovering and reporting the flaw on November 29, 2025. This timely disclosure has allowed developers to begin patching their applications before potential exploits become widespread.
Broader Impact Across Next.js and Other Frameworks
Beyond the core React packages, the vulnerability also affects Next.js applications utilizing the App Router. This specific instance has been assigned its own CVE identifier, CVE-2025-66478, also with a CVSS score of 10.0. The affected Next.js versions include those greater than or equal to 14.3.0-canary.77, as well as versions 15 and 16. Next.js has also released patches for these versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
Furthermore, the vulnerability’s nature means that any open-source library or framework that bundles React Server Components is likely to be susceptible. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. Developers using these tools are advised to check for specific updates from their respective projects.
Widespread Exploitation Potential and Mitigation Strategies
Cloud security firm Wiz reports that a significant portion of cloud environments, approximately 39%, have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. This indicates a broad attack surface for threat actors. Given the critical severity of these vulnerabilities and the potential for remote code execution, it is imperative for developers and system administrators to apply the available patches as soon as possible to secure their applications and data.
The swift patching by React and Next.js is a positive step, but the ongoing security of applications built with RSC depends on vigilant monitoring and prompt application of updates across the entire ecosystem. Users should remain aware of any further security advisories related to React Server Components and their associated libraries.