DEV Community

Arina Cholee
Arina Cholee

Posted on

CVSS 10.0 RCE Rocks the Frontend World: React/Next.js Hit by a Log4Shell‑Level Vulnerability?

#react #waf #safeline

December 4th, 2025 — A day the frontend ecosystem won’t forget.

If Log4Shell was Java’s nightmare in 2021, then today’s disclosure of CVE‑2025‑55182 (Next.js counterpart CVE‑2025‑66478) marks the darkest hour of the modern React/Next.js full‑stack era.

A CVSS score of 10.0, unauthenticated RCE, and impact across React 19, Next.js 15/16, and any framework implementing React Server Components (RSC).

If you're reading this before coffee:

drop everything and check your versions.

React’s core team has officially confirmed a critical remote code execution vulnerability inside the implementation of React Server Components — and it’s as bad as it sounds.

1. Technical Breakdown: The Achilles’ Heel of React Server Components

To understand the issue, we need to understand how RSC moves data.

The “Flight” Protocol and Serialization

React Server Components rely on a streaming, JSON‑like protocol called Flight:

  • Server → Client: Component trees are serialized and streamed.
  • Client → Server: Server Actions send serialized parameters back to the server.

The Fatal Problem: Unsafe Deserialization

According to the React security advisory, the root cause lies in how react-server and its adapters (e.g., react-server-dom-webpack) handle incoming requests.

What went wrong:

  • The server trusts the structure of the serialized payload sent from the client.
  • A malicious actor can craft a malformed RSC Flight payload.
  • When parsed, this payload abuses React’s internal object restoration logic.
  • The server ends up restoring malicious data as executable functions.
  • Result: Arbitrary JavaScript execution within the server process.

In short:

This is a classic unsafe deserialization vulnerability, amplified by RSC’s complexity and deep integration across frameworks.

2. Impact Assessment: Who’s in the Blast Radius?

This issue affects anyone running React’s official RSC implementation.

Affected React Versions

  • 19.0.0
  • 19.0.1 (early builds did not fully patch)
  • 19.1.x
  • 19.2.0

Affected Next.js Versions (App Router)

Due to deep RSC integration, these Next.js releases are vulnerable:

  • 15.0.0–15.0.4
  • 15.1.0–15.1.8
  • 15.2.x–15.5.6
  • 16.0.0–16.0.6
  • Canary 14.3.0‑canary.77 and later

Other frameworks

  • Waku
  • RedwoodJS (RSC mode)
  • Any custom system using react-server-dom-webpack or react-server-dom-*

Only the old Pages Router (Client Components only) is not affected.

3. Official Fixes: Upgrade Immediately

Both the React team and Vercel have pushed out patched builds.

Option 1 — Upgrade (Strongly Recommended)

Next.js 

# Next.js v16
npm install next@16.0.7

# Next.js v15
npm install next@15.5.7
# or 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
Enter fullscreen mode Exit fullscreen mode

React / Custom Integrations 

npm install react@19.2.1 react-dom@19.2.1
Enter fullscreen mode Exit fullscreen mode

Official secure versions include:
19.0.1, 19.1.2, 19.2.1.

4. Temporary Mitigation: WAF‑Level Defense

If you can’t deploy application code right away (freeze period, enterprise CI restrictions, etc.), you must rely on network‑layer protection.

Major Cloud Providers

  • Cloudflare and AWS have already updated their managed WAF rule sets to block malformed Flight protocol payloads targeting RSC endpoints.

Manual Rules

You can temporarily block suspicious POST requests hitting RSC-related routes:

  • abnormal Content-Type
  • excessively long payloads
  • uncommon Flight packet structures

This may cause false positives, so apply cautiously.

Additional Note: SafeLine WAF

If you're using SafeLine, its anomaly‑detection engine is already effective at identifying
non-standard serialization payloads and malformed RSC request patterns,
making it a helpful buffer until you can deploy the official patch.
(Still patch ASAP—WAFs mitigate, not replace updates.)

5. The Bigger Picture: The Cost of Going “Full‑Stack”

In their disclosure, the React team openly acknowledged a growing truth:

As React blurs the boundary between frontend and backend,
its security model becomes exponentially more complex.

Server Actions make full‑stack development feel magical: write SQL inside a component, call it like a function, skip building REST endpoints. But that magic comes with risk:

  • More server logic becomes reachable via the browser.
  • RSC introduces a highly dynamic, complex serialization layer.
  • Any flaw in validation or deserialization becomes catastrophic.

CVE‑2025‑55182 is not just a bug.
It’s a warning about the direction of modern full‑stack frameworks — convenience stretching the attack surface wider than ever.

If your stack involves React 19 or Next.js 15/16, this is a drop‑everything moment.
Patch now, deploy now, then audit your RSC endpoints and CI/CD pipeline.

And maybe, as a community, it’s time to rethink how much trust we place in invisible full‑stack abstractions.

Top comments (0)