CVE-2025-55182: Critical Remote Code Execution Vulnerability Found in React Server Components

On December 3, 2025, the React team released fixes for a maximum severity vulnerability in React Server Components (RSC). The vulnerability, tracked as CVE-2025-55182, stems from unsafe handling of serialized DOM elements, allowing for remote code execution in React 19 and other frameworks built on top of it, such as Next.js 15–16. The vulnerability was responsibly disclosed to React as part of a bug bounty program and is not known to be actively exploited in the wild at this time. 

Because RSC executes server-side JavaScript code, a remote attacker who reaches an RSC endpoint can compel the application to run arbitrary JavaScript code on its server runtime (i.e., Node.js or an equivalent JavaScript runtime environment). This raises the possibility of full application compromise, exposure of secrets, access to internal APIs and datastores, and potential lateral movement. 

Vulnerability Scope

Although this flaw potentially enables unauthenticated remote code execution in any application that exposes React Server Components endpoints, the React advisory also highlights that applications may remain vulnerable even if developers do not explicitly implement Server Function endpoints. 

This suggests that applications built with frameworks or bundlers that integrate React Server Components on the server, often by including and wiring the react-server-dom-* packages into the runtime, may still expose the vulnerable code paths. Research by Wiz further indicates that independent frameworks built on React, such as default applications generated through the Next.js create-next-app script, can also be vulnerable once built for production. 

According to the advisory, the following scenarios are not susceptible to this vulnerability: 

-Applications that do not use a server at all (purely client-side React or fully static sites). 

-Applications that do not use a framework or bundler that supports RSC. 

-Applications using React versions that pre-date RSC support (e.g., older Next.js before RSC existed) are not in scope, because they do not support React Server Components. 

-Applications that run React applications packaged without any of the RSC-specific server-side packages (i.e., react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack). 

Additionally, some WAF providers such as Cloudflare have deployed rules to block exploitation. 

Potentially Affected Third-Party Software

Any software that utilizes affected versions of React 19 with React Server Components enabled may be vulnerable. This potentially includes, but may not be limited to, the following frameworks: 

Next.js App Router (15 and 16, as well as certain 14.3 canary builds) 

React Router RSC (via Vite RSC) 

Vite RSC (@vitejs/plugin-rsc) 

Parcel RSC (@parcel/rsc) 

RedwoodSDK (rwsdk) running on Cloudflare 

Waku, commonly used in lightweight e-commerce, marketing sites, and small-to-medium applications. 

Additionally, any custom or commercial application embedding affected versions of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack are potentially at risk. 

Wiz reported that roughly 39% of cloud environments they observed contained at least one instance of a vulnerable RSC-capable framework. This could potentially include internal business applications, internal tooling, SaaS front-ends, or other edge-deployed workloads. 

Recommendations for CVE-2025-55182

Upgrade to Latest Fixed Version in Affected Applications

Arctic Wolf strongly recommendsupgrading affected components to the latest fixed versions as soon as possible in affected applications. 

In general, the following 3 categories of applications should be accounted for, in situations where they directly bundle RSC or use independent frameworks that depend on it: 

• Internal applications 
• Self-hosted commercial products 
• Edge-deployed applications 

Internal Applications

Internal applications often run with trusted credentials and reside on networks adjacent to critical backend services. Upgrade React to the fixed RSC versions where applicable, as well as Next.js or other independent frameworks that depend on RSC. 

Self-Hosted Commercial Products

Any commercial or vendor-supplied application embedding React 19 RSC, Next.js, or other frameworks that support RSC should be considered potentially at risk. Unfortunately, there is not a centralized means of identifying such applications. Watch for vendor-specific advisories where RSC-capable components are utilized, and apply patches as recommended. 

Patch Edge-Deployed Applications

While Cloudflare Workers themselves are not vulnerable, applications built with RedwoodSDK, Vite RSC, or other RSC-bundling toolchains might be. Deploy the relevant framework patches and update their React dependencies to the fixed versions. 

Apply Temporary Mitigations as Needed

If immediate patching is not possible, consider the following mitigations: 

-Restrict public or cross-network access to RSC-enabled endpoints. 

-Place affected applications behind a web application firewall capable of blocking exploitation patterns (e.g., Cloudflare). 

-Temporarily reduce or disable use of React Server Components or Server Functions in exposed routes. 

-Limit outbound connectivity and internal access for any workload running RSC code. 

These mitigations may reduce exposure but do not correct the underlying vulnerability and should be treated as temporary. 

Monitor for Vendor Security Updates

Because fixes to React and independent packages such as Next.js do not necessarily propagate automatically into commercial software that bundles them, Arctic Wolf recommends monitoring for additional vendor advisories that address CVE-2025-55182. Apply vendor-provided updates promptly once available and verify that the updates include patched React RSC package versions. 

References 

React Advisory

GitHub Advisory for React

GitHub Advisory for Next.js

Wiz research