Published: December 4, 2025
What is CVE-2025-55182?
CVE-2025-55182 is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in React Server Components (RSC) used in React 19 and multiple frameworks built on top of it, including Next.js 15 and 16.
The issue stems from unsafe deserialization of untrusted payloads inside the RSC “Flight” protocol. When a malicious request is sent to a Server Function endpoint, vulnerable RSC packages deserialize attacker-controlled input in a way that breaks the intended execution flow. This allows arbitrary JavaScript to run on the server under the privileges of the application.
Affected packages include:
- react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
Even applications that don’t explicitly use Server Functions may still bundle these vulnerable components, making this a wide-impact supply-chain risk.
What assets are affected by CVE-2025-55182?
This vulnerability affects any application using React Server Components in the impacted versions, including those built with:
- React 19 production builds
- Next.js 15.x and 16.x (App Router)
- Frameworks and tools with RSC integration:
- React Router (RSC preview)
- Expo (RSC support)
- Redwood
- Parcel RSC
- Vite + RSC plugins
- Waku and other experimental RSC frameworks
- React Router (RSC preview)
High-risk external assets include:
- Internet-facing web applications built with React / Next.js
- SaaS environments processing sensitive or regulated data
- Cloud workloads where app servers can reach internal APIs, secrets, or management interfaces
- Shadow-IT or experimental deployments that were never fully onboarded into security programs
Because RSC dependency chains often sit deep within frameworks, organizations frequently discover affected assets only through external discovery or dependency analysis.
Are fixes available?
Yes — patches are available and should be applied immediately.
The React team released fixed versions of all affected RSC packages:
- react-server-dom-webpack: 19.0.1, 19.1.2, 19.2.1
- react-server-dom-parcel: 19.0.1, 19.1.2, 19.2.1
- react-server-dom-turbopack: 19.0.1, 19.1.2, 19.2.1
Next.js also published patched releases for the related CVE-2025-66478, which is rooted in the same underlying RSC flaw.
Organizations should:
- Upgrade all React RSC dependencies
- Update Next.js or related frameworks to patched versions
- Update CI/CD pipelines and IaC templates to prevent re-introducing vulnerable versions
No configuration-only workaround fully removes the RCE risk.
Upgrading is essential.
Are there any other recommended actions to take?
Security teams should immediately:
- Discover and inventory all external React / Next.js applications
Include forgotten assets, subsidiaries, cloud accounts, and apps deployed outside central IT. - Prioritize assets by exposure and business impact
Customer apps, authentication portals, PII-processing systems, and admin interfaces should move to the top of the remediation queue. - Deploy compensating controls while patching rolls out
- Enable WAF rules targeting malformed or suspicious RSC Flight payloads
- Restrict access to internal or admin routes
- Apply least privilege principles around backend systems interacting with these apps
- Enable WAF rules targeting malformed or suspicious RSC Flight payloads
- Monitor for indicators of exploitation
- Spikes in traffic to RSC endpoints
- Unexpected process execution
- Outbound network anomalies
- Spikes in traffic to RSC endpoints
- Update SBOMs and dependency management
Ensure future builds cannot silently reintroduce vulnerable versions.
Is CVE-2025-55182 being actively exploited?
As of December 4, 2025, the exploitation picture is rapidly evolving.
- Public PoC exploit code exists
- Researchers have demonstrated reliable RCE in controlled environments
- Multiple advisories state exploitation is expected imminently
- Some threat intelligence sources indicate early-stage real-world exploitation
Given the simplicity of the payload and the massive global footprint of React and Next.js, organizations should assume exploitation will spread quickly.
How is CyCognito helping customers identify assets vulnerable to CVE-2025-55182?
CyCognito published an Emerging Threat Advisory for CVE-2025-55182 inside the platform on December 4th, 2025, and is actively researching enhanced detection capabilities for this vulnerability. The platform already surfaces externally exposed assets tied to this technology stack, helping customers quickly understand whether React Server Components or related frameworks appear in their environment.
CyCognito also advises customers to review any systems running React, Next.js, Apache Tomcat, or associated web services to assess potential exposure—even if those assets are not explicitly identified as running vulnerable versions. Modern applications often contain transitive dependencies that teams may not be aware of, and CyCognito’s external discovery brings these systems into visibility.
Check out CyCognito’s Emerging Threats page for updates on this and other high-impact vulnerabilities.
How can CyCognito help your organization?
CyCognito gives security teams a clear view of every external asset — including systems they may not know exist. That visibility makes it easier to find applications built on React, Next.js, and other components tied to CVE-2025-55182, and to understand which ones are both vulnerable and externally exposed. Instead of working through large, noisy alert lists, teams see which systems matter most based on business impact, sensitivity, and real-world exploit paths.
CyCognito also helps verify that the issue is fixed and continues monitoring for changes as environments evolve. If a previously internal system becomes externally reachable, or if a vulnerable framework appears in a new build, the platform flags it before attackers find it. This allows organizations to move faster, reduce real risk with confidence, and stay ahead of attackers instead of responding after the fact.
To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
