The React team released a security advisory regarding a critical vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system.
Severity level:-
CVSS Score: 10.0 / Critical.
Description:- The vulnerability has been identified in React Server Components (also known as React.js or ReactJS) “Flight” protocol affecting React 19 ecosystems and frameworks that implement it, most notably Next.js. The issue arises from insecure deserialization that allows unauthenticated remote code execution (RCE). When a malicious actor crafts a specific HTTP request, the flaw in React's deserialization process can enable them to execute arbitrary code on an unpatched server.
Affected Versions :-
- React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0
- Next.js version 14.3.0-canary.77, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 and 16.0.7
Impact:-
An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Exploit code is publicly available and exploitation is actively occurring.
Resolution:-
Administrators should upgrade to the latest patched version in their release line.
Reference:-
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
https://www.cyber.gc.ca/en/alerts-advisories/react-security-advisories-av25-804
UIT Information Security