A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.
It allows “unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,” the React Team said in an alert issued today.
“Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components.”
According to cloud security firm Wiz, the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.
The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages –
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson has been credited with discovering and reporting the flaw on November 29, 2025.
It’s worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
That said, any library that bundles RSC is likely to be affected by the flaw. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.
Wiz said 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. In light of the severity of the vulnerability, it’s advised that users apply the fixes as soon as possible for optimal protection.
