🚨 CVE-2025-55182: Critical Security Vulnerability in React Server Components
CVE-2025-55182 is a critical Remote Code Execution (RCE) vulnerability with a CVSS score of 10.0, affecting applications that utilize the React Server Components (RSC) infrastructure.
This vulnerability allows unauthenticated attackers to execute arbitrary code on the server.
⚠️ Affected Versions
This issue affects the following versions using React's "Server Components" feature:
- React:
19.0.0,19.1.0,19.1.1,19.2.0 - Related Packages:
react-server-dom-webpack,react-server-dom-turbopack,react-server-dom-parcel - Associated Frameworks: Next.js (Related CVE: CVE-2025-66478), Waku, RedwoodJS, and other React 19-based builds.
🔍 Technical Details (Summary)
Also referred to as "React2Shell" or the "Flight Protocol" vulnerability.
The root cause is unsafe deserialization when the React server processes incoming HTTP requests. An attacker can craft a malicious HTTP request to manipulate the server and execute commands on the server runtime (e.g., Node.js).
Note: Even if your application does not explicitly use "Server Actions," simply having the React Server Components infrastructure enabled may be sufficient to expose the vulnerability.
🛡️ Mitigation and Fix
The React team has patched this vulnerability in React 19.2.1.
1. Update Immediately
Upgrade the React versions in your project to the latest stable release:
1npm install react@latest react-dom@latest next@latest
2. Temporary Mitigations (If Unable to Patch)
If you cannot update immediately:
- WAF Rules: Enable specific rules for this CVE (React2Shell/Deserialization protection) in WAF services like Cloudflare.
- Disable RSC: If possible, temporarily disable Server Components features in your application.
🔗 Additional Resources
explore more