Critical RCE Vulnerability in React Server Components & Next.js: What…

A Critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-55182, has been discovered in Next.js applications utilizing React Server Components (RSC) and Server Actions. This vulnerability stems from insecure deserialization within the underlying “Flight” protocol used by React. Unauthenticated remote attackers can exploit this flaw to execute arbitrary code on the server, potentially leading to a complete compromise of the application and underlying system.

Given the widespread adoption of Next.js and the critical severity of the flaw (CVSS 10.0), immediate action is required. This article will guide you through understanding the affected products, vulnerability details, detection methods, mitigation strategies, and patch availability.

Affected Products

The vulnerability affects the React Server Components ecosystem, which is heavily integrated into modern frameworks like Next.js. Specifically, it impacts the `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack` packages.

Affected Versions

– React Server Components: Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
– Next.js: Applications using App Router (Next.js 15.x, 16.x) or experimental Server Actions are likely affected by default.

Vulnerability Details

CVE-2025-55182 is an insecure deserialization vulnerability that occurs at “Server Function endpoints.” The flaw exists because the server-side handler for the React “Flight” protocol unsafely deserializes payloads from HTTP requests. The server fails to properly validate serialized input before processing it. An attacker can trigger this vulnerability by sending a specially crafted `POST` request to the root path containing:

1. Specific `Next-Action` headers.
2. Malformed multipart data payloads.

When processed, this malformed payload triggers the insecure deserialization, allowing the attacker to inject and execute malicious code remotely.

Detection

Detectify customers can now test whether their applications are exposed to this RCE. The vulnerability assessment released by Detectify checks for the presence of the insecure deserialization flaw by sending a specially crafted `POST` request to the root path with `Next-Action` headers and malformed multipart data. The test safely identifies the vulnerability by observing specific error responses from the server that confirm the deserialization failure, without executing malicious code.

Mitigation

Upgrade Immediately

The most effective mitigation is to upgrade the affected packages to their patched versions.

– React Server Components: Upgrade `react-server-dom-` packages to versions 19.0.1, 19.1.2, or 19.2.1 (or later).
– Next.js: Upgrade to the latest patch release for your major version (e.g., Next.js 15.0.5+, 16.0.7+).

If Immediate Patching is Not Feasible

You may be able to mitigate the risk by applying Web Application Firewall (WAF) rules to block requests containing suspicious `Next-Action` headers or malformed multipart bodies, though this is not a substitute for patching.

Patch Availability

The vulnerability is fixed in the following versions:

– React Server Components: 19.0.1, 19.1.2, and 19.2.1.
– Next.js: Various patch releases (check the official Next.js release log for your specific version branch).

Users are strongly advised to update to these versions. Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!

Conclusion

The discovery of CVE-2025-55182 underscores the importance of staying vigilant and proactive in securing modern web applications. By understanding the affected products, vulnerability details, detection methods, and mitigation strategies, developers and administrators can take immediate action to protect their systems. Upgrading to the latest patched versions and applying necessary security measures are crucial steps in mitigating this critical RCE vulnerability.

FAQ

What is the impact of CVE-2025-55182?

The impact of CVE-2025-55182 is severe, as it allows unauthenticated remote attackers to execute arbitrary code on the server. This can lead to a complete compromise of the application and underlying system.

Which versions of React Server Components and Next.js are affected?

React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 are affected. Next.js applications using App Router (Next.js 15.x, 16.x) or experimental Server Actions are likely affected by default.

How can I detect if my application is vulnerable to CVE-2025-55182?

Detectify customers can use their vulnerability assessment tool to detect if their applications are exposed to this RCE. The test sends a specially crafted `POST` request to identify the vulnerability safely.

What are the recommended mitigation steps?

The recommended mitigation steps include upgrading to the latest patched versions of React Server Components and Next.js. If immediate patching is not feasible, applying WAF rules to block suspicious requests can provide additional protection.

Where can I find more information about this vulnerability?

More information can be found in the vendor advisory and the “What’s New at Detectify” product log.