A maximum severity security flaw has been disclosed in React Server Components (RSC) that could allow remote code execution if successfully exploited.
This vulnerability is tracked as CVE-2025-55182 and has a CVSS score of 10.0.
The React team said in an alert issued today that this allows for “unauthenticated remote code execution by exploiting a flaw in the way React decodes payloads sent to React server function endpoints.”
“Even if your app doesn’t implement the React Server Function endpoint, it may still be vulnerable if it supports React Server components.”
According to cloud security company Wiz, the issue is a case of logical deserialization caused by processing the RSC payload in an insecure manner. As a result, an unauthenticated attacker could make a malicious HTTP request to any server function endpoint and, once deserialized by React, could execute arbitrary JavaScript code on the server.
This vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages:
- react-server-dom-webpack
- react server dumb parcel
- react server dumb turbo pack
This issue is addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson is credited with discovering and reporting the flaw on November 29, 2025.
Note that this vulnerability also affects Next.js that uses App Router. This issue has been assigned CVE identifier CVE-2025-66478 (CVSS score: 10.0). Affects versions 14.3.0-canary.77 and above, 15 and above, and 16 and above. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
However, any library that bundles RSC may be affected by this flaw. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.
Wiz said that 39% of cloud environments have instances vulnerable to CVE-2025-55182 and CVE-2025-66478. Given the severity of the vulnerability, we recommend that users apply the fix as soon as possible for optimal protection.
