7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Remote Code Execution in React Server Components / react-server (deserialization flaw)
CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-55182
Exploit or Proof of Concept (PoC):
There is public and industry-wide confirmation of the vulnerability. While fully verified public proof-of-concept (PoC) exploit code has not been broadly published, the vulnerability is considered exploitable in default configurations of affected packages. Exploitable behavior exists via crafted HTTP requests targeting React Server Function endpoints that trigger unsafe deserialization and remote code execution.
Update:
Affected react-server variants are patched in the following versions: react-server-dom-parcel 19.0.1, 19.1.2, 19.2.1; react-server-dom-turbopack 19.0.1, 19.1.2, 19.2.1; react-server-dom-webpack 19.0.1, 19.1.2, 19.2.1. Frameworks and tools bundling react-server (e.g. Next.js, Vite-RSC, Parcel-RSC plugin, other RSC-capable frameworks) should also be updated per their maintainers.
Description:
CVE-2025-55182 arises from a flaw in how react-server (used by React Server Components) handles the "Flight" protocol for server-based rendering and Server Functions / Server Actions. Specifically, the server-side deserialization logic fails to properly validate payload structure, allowing attacker-controlled data to be treated as internal objects or module references. An unauthenticated attacker that can send a specially crafted HTTP request to a vulnerable Server Function endpoint can trigger server-side execution of arbitrary code. Because many default deployments of React (and downstream frameworks) embed react-server, the risk affects a broad range of applications, even those without custom server code.
Mitigation Recommendation:
Immediately upgrade all react-server packages to patched versions: react-server-dom-parcel 19.0.1 / 19.1.2 / 19.2.1 or later; react-server-dom-turbopack 19.0.1 / 19.1.2 / 19.2.1 or later; react-server-dom-webpack likewise. If using frameworks or bundlers that include react-server (e.g. Next.js, Vite RSC plugin, Parcel RSC plugin, other RSC-enabled tools), update those frameworks/plugins to versions that bundle the patched react-server or otherwise apply their vendor’s hotfix. For production-facing apps, consider enabling additional protections (e.g. Web Application Firewall, input validation, strict deserialization guards) until all code paths are verified clean.
