A critical remote code execution (RCE) vulnerability has been discovered in React Server Components (RSC), tracked as CVE-2025-55182 with a CVSS score of 10.0 (Critical). This flaw, along with a related vulnerability in the Next.js framework (originally tracked as CVE-2025-66478), allows unauthenticated attackers to execute arbitrary code on the server via crafted HTTP requests. Meta and Vercel have released patches, and Google Cloud has issued specific mitigation guidance. Due to the high severity and ease of exploitation, organizations using React 19 or Next.js 15-16 are strongly urged to update immediately.
Summary
- Vulnerability: Unauthenticated Remote Code Execution (RCE) in React Server Components and Next.js.
- CVE: CVE-2025-55182 (React), CVE-2025-66478 (Next.js - marked as duplicate).
- Impact: Complete server compromise via arbitrary code execution.
- Affected versions: React 19 through 19.2.0; Next.js 15 through 16.
- Severity: Critical, CVSS 10.0.
- Fix: Update to React 19.2.1 and the latest Next.js patched versions immediately.
How the attack works
The vulnerability resides in how React Server Components (RSC) and server-side functions handle incoming requests. An attacker can exploit this by sending a specially crafted HTTP request to an RSC or Server Function endpoint. Because the vulnerability allows for unauthenticated access, the attacker does not need credentials to trigger the exploit.
Specifically, the attack targets the server-side processing mechanism. By manipulating request headers or body content (often involving next-action or rsc-action-id headers), an attacker can inject malicious payloads that the server executes. This bypasses standard security controls and grants the attacker the ability to run arbitrary commands on the underlying server infrastructure.
Exploitation in the wild
While specific details on widespread active exploitation campaigns are still emerging, the public disclosure by Meta and Vercel, combined with the release of specific WAF rules by major cloud providers like Google Cloud, indicates a high risk of immediate weaponization. The nature of the flaw (a simple HTTP request triggering RCE) makes it a prime target for automated scanning and mass exploitation. Any public-facing application running vulnerable versions is effectively "one request away" from compromise.
What makes this so dangerous
This vulnerability presents an extreme risk due to the following factors:
- Unauthenticated remote exploitation: The flaw can be triggered remotely without any user credentials, making it trivial for attackers to target internet-facing applications.
- Highest possible severity: A CVSS score of 10.0 reflects the absolute worst-case scenario: total loss of confidentiality, integrity, and availability.
- Low attack complexity: The exploit requires only a crafted HTTP request, lowering the barrier to entry for attackers.
- Widespread impact: React and Next.js are foundational frameworks for modern web development, meaning a vast number of applications globally are potentially exposed.
Mitigation steps and best practices
Administrators should prioritize patching immediately.
- Apply patches immediately: Refer to React’s official mitigation guidance here. Update React to version 19.2.1 or later. Update Next.js to the latest patched version.
- Deploy WAF rules: Implement WAF rules to block exploitation attempts. Google Cloud users can use the cve-canary preconfigured rule with specific match conditions for next-action and rsc-action-id headers. Other WAF providers likely have similar signatures available.
- Verify deployments: Redeploy all affected services (Cloud Run, GKE, App Engine, etc.) after updating dependencies to ensure the patched code is running.
- Continuous detection: Actively monitor your external attack surface to identify any overlooked or shadow instances of React/Next.js applications that remain vulnerable. Continuous scanning helps ensure no asset is left unprotected.
If you are concerned about your exposure to CVE-2025-55182, reach out to our team of cybersecurity specialists for a free scan.
{{cta-demo}}
