CVSS 10.0 RCE in React Server Components

by Justin Erickson

Security researchers and the React team have disclosed CVE-2025-55182, a maximum severity (CVSS 10) remote code execution vulnerability in React Server Components (RSC). An unauthenticated attacker can send a payload to a React Server Function endpoint and trigger unsafe deserialization, allowing remote code execution on the server. Because many frameworks bundle RSC by default, apps can be exposed even if they do not explicitly use Server Functions. Affected packages include React 19.0, 19.1.0, 19.1.1, and 19.2.0, and popular frameworks such as Next.js, Vite and Parcel RSC plugins, React Router RSC preview, RedwoodSDK, and Waku. Because of this, “44% of all cloud environments have publicly exposed Next.js instances.” Next.js has assigned a related identifier CVE-2025-66478 for the same flaw. Reports as of December 5th show active exploitation. Patching React and affected frameworks is the only definitive mitigation, so update as soon as possible.