On December 3, 2025, the React team publicly disclosed a critical security vulnerability affecting React Server Components. The flaw has been assigned the identifier CVE-2025-55182 and carries a maximum severity rating. This issue enables unauthenticated remote code execution under certain conditions, making it one of the most serious web-framework vulnerabilities disclosed in recent years.
The timing and severity of this disclosure matter. React, along with frameworks like Next.js, powers a significant percentage of modern web applications, including enterprise portals, SaaS platforms, e-commerce systems, and internal business applications. The presence of a remotely exploitable vulnerability in a default configuration elevates the risk far beyond niche developer scenarios.
What Caused the Vulnerability
The vulnerability originates within the implementation of the React Server Components protocol, often referred to as the Flight protocol. Specifically, the server logic responsible for interpreting RSC payloads fails to adequately validate and constrain the data received from remote clients. When exploited, this lack of input validation allows an attacker to coerce the server into deserializing malicious structures, ultimately triggering execution of attacker-controlled code.
This vulnerability does not require authentication, user interaction, or advanced access. Any publicly exposed endpoint supporting RSC functionality is a potential target. Critically, applications do not need to explicitly define custom server functions to be affected; simply enabling or inheriting React Server Component support through a framework or toolchain may be sufficient to introduce exposure.
Who Is Impacted
Organizations using React 19 with Server Components are most directly affected, including those using bundlers or frameworks that enable RSC by default. This includes environments built using Next.js, React Router’s server-side variants, Waku, Parcel’s RSC integration, and Vite plugins that support RSC.
Next.js has published a companion advisory under its own CVE identifier, which tracks the same underlying flaw. Because Next.js is widely deployed in cloud environments, the attack surface is significant. Many organizations may unknowingly rely on vulnerable versions through transitive dependencies.
Why This Matters for Enterprise Security
Remote code execution at the framework layer presents an unusually high-impact threat. Successful exploitation can permit attackers to take control of the underlying server, read or modify data, install persistence mechanisms, move laterally inside the environment, or stage additional payloads. For organizations delivering authentication, data processing, or critical business logic through React-driven applications, the consequences are severe.
Complicating the situation, exploit attempts have already begun. Several security vendors have confirmed active scanning and early exploitation by threat actors, including state-aligned groups. As with prior ecosystem-level vulnerabilities, widespread adoption of React amplifies exposure across industries.
What Organizations Should Do Now
Upgrade immediately. Patches are available for all affected React packages. Framework maintainers have published their own patched versions, and these releases should be applied without delay.
Review dependency trees. Many applications inherit RSC support through frameworks, plugins, or deployment presets, even when developers do not actively use the feature. A full audit of all server-side JavaScript dependencies is strongly recommended.
Scan for exposed endpoints. Any public endpoint capable of receiving RSC or server function traffic should be reviewed, logged, and monitored. If your application uses Next.js or similar tooling, assume exposure until confirmed otherwise.
Do not rely solely on temporary platform-level mitigations. Some hosting providers have implemented emergency rules, but self-patching remains the only reliable long-term solution.
Final Thoughts
CVE-2025-55182 is a reminder that even mature and well-maintained frameworks can introduce significant risks when features evolve faster than their security models. Organizations using React or Next.js in production should prioritize remediation, dependency validation, and thorough logging review.
Critical Path Security is actively assisting clients with patch validation, dependency audits, and incident response related to this vulnerability. If your team needs support assessing exposure or implementing mitigation measures, we are available to help.