Security Advisory: React & Next.js RCE (CVE-2025-55182)

Well this is.. not great...  Time to patch DevSecOps peeps!!!

A maximum-severity vulnerability has been disclosed in the React Server Components. This flaw allows an unauthenticated attacker to achieve Remote Code Execution (RCE) via malicious HTTP requests targeting Server Function endpoints. The issue stems from improper deserialization of payloads.

"An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server," the security alert warned. "Further details of the vulnerability will be provided after the rollout of the fix is complete."

Vulnerability Data

• Primary CVE: CVE-2025-55182 (React)
• Secondary CVE: CVE-2025-66478 (Next.js)
• Severity: Critical (CVSS 10.0)
• Status: Patched / Exploitation Imminent

Affected Software & Versions

The following React versions are vulnerable:

• 19.0
• 19.1.0
• 19.1.1
• 19.2.0

The bug affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

• react-server-dom-webpack
• react-server-dom-parcel
• React-server-dom-turbopack

Note: This also impacts default configurations of Next.js, React Router, Waku, and others.

Resolution

Development teams must upgrade react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to the following safe versions immediately:

• 19.0.1
• 19.1.2
• 19.2.1

Threat Intelligence

While no active in-the-wild exploitation was confirmed at the time of disclosure, security firms (Wiz, WatchTowr, Rapid7) indicate that the barrier to entry for attackers is low. The exploit is high-fidelity, and automated scanning for vulnerable instances is expected to begin shortly.