Critical RCE Vulnerability in React Server Components and Next.js (CVE-2025-55182)

A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-55182, has been discovered in React Server Components (RSC) and Next.js applications. This security flaw stems from unsafe deserialization within the “Flight” protocol used by React, allowing unauthenticated attackers to execute arbitrary code on affected servers. Given the widespread use of Next.js and the flaw’s severity (CVSS 10.0), immediate remediation is crucial.

Affected Products and Versions

The vulnerability impacts React Server Components (RSC) and applications built with Next.js that utilize App Router or experimental Server Actions. Specifically, the following packages are affected:

– React Server Components (RSC):
– Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0

– Next.js:
– Versions 15.x and 16.x (especially those using App Router or Server Actions)

Why This Matters

React Server Components and Next.js power thousands of modern web applications, including enterprise-grade platforms. An RCE vulnerability of this nature could lead to full system compromise, data breaches, and unauthorized access to sensitive information.

Vulnerability Details and Exploitation

How the Vulnerability Works

The flaw exists in the Flight protocol, which handles server-side processing of serialized data in React applications. When a maliciously crafted POST request is sent to the root path with:
1. Specific `Next-Action` headers
2. Malformed multipart data payloads

The server fails to validate this input properly, leading to insecure deserialization. Attackers can exploit this to execute arbitrary code on the server.

Attack Scenarios

– Unauthenticated attackers could send manipulated requests to vulnerable endpoints.
– Code execution could allow attackers to deploy malware, exfiltrate data, or pivot to other systems.
– No prior authentication is required, making the attack vector highly exploitable.

Detection and Mitigation Strategies

How to Detect the Vulnerability

Security firms like Detectify have released automated scans to identify affected applications. The test involves:
– Sending a safe, controlled POST request with suspicious headers.
– Analyzing server responses for error patterns indicative of insecure deserialization.

Mitigation and Patch Availability

1. Immediate Patching (Recommended)

– React Server Components (RSC):
– Upgrade to v19.0.1, v19.1.2, or v19.2.1 (or later).
– Next.js:
– Update to Next.js 15.0.5+ or 16.0.7+, depending on your version.

2. Temporary Workarounds (If Patching Isn’t Immediately Possible)

– Web Application Firewall (WAF) Rules:
– Block requests containing `Next-Action` headers or malformed multipart data.
– Limitations: This is not a permanent fix and may false-positive legitimate traffic.

– Disable Server Actions (Temporary Measure):
– If using experimental features like Server Actions, consider disabling them until a patch is applied.

Impact and Risks

Potential Consequences of Exploitation

– Complete system compromise due to arbitrary code execution.
– Data breaches from unauthorized access to sensitive information.
– Regulatory fines if compliance (e.g., GDPR, HIPAA) is violated.

Who Is Most at Risk?

– Next.js developers using App Router or Server Actions.
– Enterprises running React-based applications with exposed endpoints.
– Cloud-hosted applications where attackers can probe for vulnerabilities remotely.

Conclusion

The CVE-2025-55182 vulnerability in React Server Components and Next.js is a critical security threat that demands immediate action. Developers and IT teams should prioritize patching and implement temporary mitigations if needed.

Frequently Asked Questions (FAQs)

1. How do I know if my Next.js app is vulnerable?

– If you’re using Next.js 15.x or 16.x with App Router or Server Actions, you are likely affected.
– Run a security scan (e.g., Detectify) to confirm.

2. Can WAF rules completely protect me?

– No, WAF rules are a temporary workaround but not a full fix. Patching is the only reliable solution.

3. What should I do if I can’t patch immediately?

– Disable Server Actions (if possible).
– Monitor logs for suspicious `Next-Action` headers.
– Apply WAF rules as a short-term defense.

4. Are there any known exploits in the wild?

– As of now, no public exploits have been reported, but due to the severity, attackers may soon develop proof-of-concept attacks.

5. Where can I find official patch notes?

– React: React Security Advisory
– Next.js: Next.js Release Log

For urgent security updates, consider signing up for Detectify’s free trial to scan your applications proactively.

—
This article is for informational purposes only. Always consult official security advisories before applying patches or mitigations.