A critical Remote Code Execution (RCE) vulnerability has been disclosed in React Server Components (RSC). This vulnerability allows an unauthenticated attacker to execute arbitrary code on your server by sending a single, maliciously crafted HTTP request.
This is a severity 10.0 (Critical) issue. If you are running Next.js, React Router (RSC), or using react-server-dom-* packages directly, your application is likely vulnerable by default.
Why This Is Critical
Most RCE vulnerabilities require an authenticated user or a complex gadget chain. This one does not.
No Authentication Required: The attack vector is exposed to the public internet.
Default Configuration Vulnerability: You do not need to be using "Server Actions" explicitly to be vulnerable. The vulnerability lies in the underlying protocol ("Flight") that processes requests.
Trivial Exploitation: Attackers can compromise the server using standard HTTP POST requests containing serialized payloads.
The Technical Issue: Unsafe Deserialization
The vulnerability resides in how React Server Components deserialize data from the client.
RSC uses the React Flight protocol to communicate between the client and server. The server deserializes incoming payloads to resolve module exports and function calls. The flaw allows an attacker to manipulate this deserialization process to inject malicious structures.
Because the server fails to validate the payload structure before processing it, an attacker can trick the server into executing arbitrary JavaScript code under the Node.js runtime.
Affected Versions
If you are using React 19.x with Server Components, check your versions immediately.
The vulnerability affects the following packages in versions 19.0.0 through 19.2.0:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Frameworks Impacted:
- Next.js: Versions 15.x and 16.x are directly affected.
- Waku, RedwoodJS, React Router (RSC): Any framework relying on the affected React packages.
How to Fix
You must upgrade your dependencies immediately. The React team and framework maintainers have released patches.
- Update React Dependencies Upgrade to one of the following patched releases (or newer):
- v19.0.1
- v19.1.2
- v19.2.1
Further follow-up patches (19.0.3+) were released to address secondary DoS vectors. It is recommended to grab the absolute latest version available.
- Update Your Framework If you use Next.js, upgrade to the latest patch release in your version line (e.g., Next.js 15.0.5+ or 16.0.7+).
Important Update for CodedThemes Users
We have rolled out a mandatory security update across all CodedThemes React templates. This release addresses the recent React Server Components vulnerability (including CVE-2025-55182). We strongly recommend all users update their templates to this latest version to mitigate any potential remote code execution risks.
This is not a theoretical risk; exploitation has been observed in the wild. The attack surface is wide, and the barrier to entry for attackers is low.
Top comments (0)