Unauthenticated RCE Hits React Server Components

Unauthenticated RCE Hits React Server Components

Two critical vulnerabilities — CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) — introduce unauthenticated remote code execution (RCE) through insecure deserialization in the React Server Components (RSC) "Flight" protocol. These flaws affect default production configurations and expose servers running React 19 or any framework implementing RSC.

Root Cause: Insecure Deserialization in RSC Flight Payloads

React Server Components transmit serialized component trees and function metadata over HTTP via the Flight protocol. When a server receives an RSC payload, the react-server-dom-* packages deserialize it and reconstruct function calls.

In vulnerable versions, the deserializer:

  • Accepts attacker-controlled payloads without schema validation
  • Fails to enforce boundary checks on RSC tokens
  • Allows crafted values to alter execution paths
  • Permits injection of executable JavaScript into server-side evaluation logic

A single malformed request can break out of the RSC payload structure and reach an internal function evaluation path, enabling arbitrary code execution.

Affected Versions

React (react-server-dom-*)

  • Vulnerable: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • Fixed: 19.0.1, 19.1.2, 19.2.1

Next.js (App Router)

  • Vulnerable:
    • 14.3.0-canary
    • 15.x series
    • 16.x series
  • Fixed builds:
    • 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
    • 16.0.7
    • Canary users must revert to stable 14.x.

Other ecosystems bundling RSC

  • Vite RSC Plugin
  • Parcel RSC
  • Redwood SDK
  • Waku
  • React Router RSC preview

Any framework shipping the react-server implementation inherits the flaw.

Attack Vector: Unauthenticated, Single HTTP Request

The attack does not require authentication, session tokens, CSRF bypass, or application interaction.

A payload shaped as an RSC Flight request is sufficient:

POST /RSC_ENDPOINT HTTP/1.1

Content-Type: text/x-component

...


[malformed Flight binary or text payload]

When processed, the vulnerable decoder misinterprets injected objects or function references, eventually evaluating attacker-controlled JavaScript on the server.

Wiz Research validated near-100% exploitation reliability across default create-next-app deployments with no code modifications.

Why Default Apps Were Exploitable

The default Next.js App Router configuration:

  1. Enables React Server Components by default
  2. Exposes server function endpoints under predictable paths
  3. Delegates Flight payload deserialization to vulnerable libraries

Thus, any newly scaffolded Next.js app — even without custom RSC/RSF handlers — became an RCE target.

Cloud Exposure Statistics

Wiz cloud telemetry:

  • 39% of cloud environments contain vulnerable React/Next.js versions
  • 69% contain Next.js packages
  • 44% have publicly exposed Next.js web applications in production

This makes the vulnerability one of the highest-impact RCE events seen in modern JavaScript ecosystems.

Security Impact

The vulnerability enables:

  • Remote code execution in the Node.js server process
  • File system access
  • Environmental variable extraction
  • Arbitrary server-side JavaScript execution
  • Credential and token theft
  • Supply-chain compromise potential via downstream services

Because the attack vector is unauthenticated, exposure is equivalent to having a public RCE endpoint.

Required Remediation

Upgrade React Packages

npm install react@latest react-dom@latest react-server-dom-webpack@latest

Upgrade Next.js (choose your release line)

npm install next@15.0.5

npm install next@15.1.9

npm install next@15.2.6

npm install next@15.3.6

npm install next@15.4.8

npm install next@15.5.7

npm install next@16.0.7

If on Canary

npm install next@14

Upgrade 3rd-party RSC implementations

For Vite, Parcel, Waku, Redwood, React Router RSC:

npm install @vitejs/plugin-rsc@latest

npm install @parcel/rsc@latest

npm install waku@latest

npm install rwsdk@latest

Hosting provider mitigations

Temporary filters and request hardening have been applied by major hosting platforms (Vercel, Netlify, Render, Cloudflare), but these are not substitutes for patching.

Timeline Summary

  • Nov 29 — Vulnerability reported to Meta
  • Nov 30 — Confirmed; fix development begins
  • Dec 1 — Cross-ecosystem coordination with hosting providers
  • Dec 3 — Fix published; CVE disclosed publicly

Conclusion

CVE-2025-55182 and CVE-2025-66478 represent a fundamental weakness in the RSC Flight protocol’s handling of untrusted data. Because React Server Components are becoming deeply embedded in modern frameworks, the attack surface extends across the JavaScript ecosystem. For organizations running React 19 or any Next.js App Router application, immediate upgrades are mandatory.

Read more