Critical CVE-2025-55182 Vulnerability Puts React Server Components at Risk

A critical vulnerability in React Server Components (RSC) has triggered an urgent security push across the web development ecosystem. 

The vulnerability known as CVE-2025-55182 with the CVSS score of 10, enables hackers to run a script on a server through a single unauthenticated HTTP request. 

This bug affects core RSC packages as well as major frameworks that rely on them, including Next.js, React Router’s RSC preview, Redwood SDK, Waku, and RSC plugins for Vite and Parcel. 

The separate Next.js issue initially listed as CVE-2025-66478 has been folded into the same identifier.

Cybersecurity experts are wary of the impact as it could potentially impact tens of millions of websites, almost  39% of cloud infrastructures.  A proof-of-concept exploit is already public on GitHub, and Wiz says its internal tests achieved near-perfect reliability.

These React Server Components handle part of a site’s rendering process on the server and use a lightweight transport protocol known as  Flight to stream serialized data and the security flaw emerges from unsafe deserialization within these Flight streams. 

Affected React versions include 19.0.0, 19.1.0, 19.1.1, and 19.2.0, talong with related RSC packages. 

Vulnerable Next.js releases span 15.0.4 through 16.0.6.

What makes it dangerous is the attack requires no authentication: attackers can trigger a  server-side code execution with React’s privileges. Though no real-world exploitation has been confirmed, the availability of working exploits has raised concern among cloud and application-security teams.

Patching and Protection

React users need to upgrade to 19.0.1, 19.1.2, or 19.2.1. Updated Next.js versions include 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. 

Other affected projects that include React Router, Expo, Redwood, Waku, Vite, and Parcel have published their own guidance.

Considering the seriousness of the problem, several cloud providers, such as  Akamai, AWS, Cloudflare, Google Cloud, and Vercel, have rolled out temporary defenses. They have issued or automatically applied WAF rules that have the capability to block exploit attempts. Providers emphasized that these filters offer short-term protection and do not replace patching.

• Experts suggest security teams check whether RSC endpoints are exposed, tighten access controls, and enable EDR or EPP tools to monitor for abnormal server activity. 
• Review the Logs for unusual Flight or POST requests, reconnaissance attempts, or efforts to access secrets such as .env files and CI/CD tokens.

Default settings in modern React and Next.js projects often enable RSCs automatically, which means many applications can be potentially exploited by  developers if they are not  actively using server-side features.