Critical Remote Code Execution (RCE) in React Server Components: CVE-2025-55182

While React Server Components (RSC) improves user experience, it creates a powerful bridge between the client and the server’s core. A critical vulnerability (CVE-2025-55182) has been identified where this bridge can be hijacked. Instead of just requesting a UI component, an attacker can send a specially crafted request that tricks the server into executing malicious commands, gaining the ability to “speak” directly to your server’s operating system.

Systems Affected

1. React Server Components – all versions before React 19.0.1, 19.1.2, and 19.2.1
2. Next.js 15.x – all versions prior to the patched 15.x release.
3. Next.js 16.x – all versions prior to the patched 16.x release.
4. Any frameworks or tools that bundle React Server Components before the patched React versions.

Key Characteristics of the Threat

1. Invisible Payloads: These payloads are hidden inside the complex data streams used by React, making them difficult for standard firewalls to spot.

2. High Severity: Because this leads to RCE, it is classified as “Critical.” It bypasses authentication and targets the server’s “brain.”

3. Framework Specific: This primarily affects modern React framework applications (like Next.js) that have implemented Server Components without the latest security patches.

How to Safeguard Your Organisation

1. Framework Updates: Immediately update your React and framework versions (e.g., Next.js) to the versions specified above. This vulnerability is fixed in the latest stable releases, where stricter “input sanitisation” has been added to the RSC parser.

2. Implement Strict Input Validation: Ensure that any data passed from the client to a Server Component is strictly validated. Use schemas (like Zod or Yup) to ensure the data is exactly what the server expects.

3. Defence-in-Depth Measures: Apply Principle of Least Privilege, isolate your web servers from sensitive internal databases, and update your WAF signatures to look for anomalous serialisation patterns or “probes” targeting React Server Component endpoints.