React Server Components Critical RCE Vulnerability CVE-2025-55182

Published: Fri 05 December 2025

Prepared by: Adam Skupien, Vulnerability Security Analyst

Purpose

A critical unauthenticated remote code execution (RCE) vulnerability has been disclosed in React Server Components, tracked as CVE-2025-55182. It affects popular packages used by modern web frameworks (including Next.js App Router) and is rated CVSS 10.0 (Critical). The Australian Cyber Security Centre (ACSC) has issued a Critical alert and recommends immediate patching.

Vulnerability details

CVE-2025-55182 is an unauthenticated remote code execution (RCE) vulnerability in the way React Server Components / Server Functions handle incoming payloads. A remote attacker can trigger the flaw with a single crafted HTTP request to an exposed RSC or Server Function endpoint, potentially gaining code execution on the application server.

Affected packages and versions

The following React Server Components packages are affected in versions 19.0, 19.1.0, 19.1.1 and 19.2.0:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Applications are not impacted if they either:

• do not use a server at all; or

• do not use any framework, bundler, or plugin that supports React Server Components.

However, if your app does use a server and supports React Server Components, it should be treated as potentially vulnerable even if you have not implemented any React Server Function endpoints.

Affected frameworks and bundlers

The vulnerability impacts any framework or tooling that bundles the affected packages, including (but not limited to):

• Next.js (App Router) using React Server Components
  • Next.js tracks this issue as CVE-2025-66478, which the National Vulnerability Database has rejected as a duplicate of CVE-2025-55182; both identifiers refer to the same vulnerability.
• React Router RSC preview integrations
• Vite with @vitejs/plugin-rsc
• Parcel with @parcel/rsc
• Redwood via rwsdk
• Waku and other emerging RSC-enabled frameworks

At the time of writing there are no confirmed reports of in-the-wild exploitation of CVE-2025-55182. However, public proof-of-concept (PoC) exploit code is already available and the vulnerability has been added to common scanners, and given the ease and reliability of exploitation, broad attack activity is expected in the short term.

Impact

Successful exploitation can give an attacker remote code execution on the application server, leading to:

• Full compromise of affected web applications and their data.
• Theft of secrets (API keys, tokens, environment variables) and access to connected systems.
• Potential lateral movement within your environment and business disruption.

Because this is unauthenticated, remote, and common in default configurations, internet-facing services using affected React/Next.js versions are at very high risk. 

Mitigation actions

Apply patches immediately (preferred)

1. Update React/RSC packages to fixed versions:
   • react-server-dom-* → 19.0.1, 19.1.2 or 19.2.1 (or later).
2. Update affected frameworks following vendor guidance, e.g.:
   • Next.js → latest patched version in your branch (e.g. 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7).
3. Redeploy all impacted services and verify versions via your package manager.

For detailed product-specific steps, refer to React blog’s: upgrade instructions for React and frameworks.

If you cannot patch immediately (short-term risk reduction only)

• Restrict access to RSC/Server Function endpoints (VPN, internal networks, reverse proxies).
• Enable vendor WAF rules or virtual patches for CVE-2025-55182 / React2Shell patterns where available.
• Where feasible, disable React Server Components and fall back to non-RSC modes until patched.

Detection capabilities

• Enable and monitor WAF/HTTP telemetry

  • Ensure WAF protections are enabled on internet-facing applications and that WAF + HTTP logs are forwarded to a central SIEM.

  • Turn on any vendor rulesets for CVE-2025-55182 / “React2Shell” (e.g. Google Cloud Armor, AWS WAF, Cloudflare WAF, and other provider-specific signatures) and alert on rule hits.

• Watch for suspicious web requests to RSC / Server Function endpoints

  • Look for spikes in unauthenticated requests to React Server Component / Server Function routes.

  • Flag unusual request patterns, such as much larger-than-normal bodies or atypical sequences of requests.

  • Correlate WAF alerts/blocks referencing React/Next.js RCE or CVE-2025-55182 with these endpoints.

• Correlate with host / EDR telemetry

  • From application runtimes (e.g. Node.js, serverless functions), alert on unexpected child processes, suspicious script execution, or use of network/administration utilities.

  • Monitor for new or unusual outbound connections from application hosts/containers to untrusted or atypical destinations, especially following suspicious web activity.

Triskele Labs support

• MDR customers: Triskele Labs is actively monitoring for behaviours consistent with exploitation of CVE-2025-55182 across supported log sources.
• Vulnerability Management customers: environments are being assessed for vulnerable React/Next.js versions; any exposure will be communicated via priority channels.

References

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
• https://nextjs.org/blog/CVE-2025-66478
• https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/critical-vulnerability-in-react-server-components-cve-2025-55182