RSC to RCE: CVE-2025-55182 – Patch Immediately!

An Existential Threat to the Modern Web

A Critical 10.0 CVSS vulnerability just dropped, directly affecting almost every modern web application that uses React Server Components. An unauthenticated attacker—literally anyone on the internet—achieves Remote Code Execution (RCE) on your server because of this bug’s severity.

You must consider that risk. Is your application using the latest App Router? Did you rely on a dependency that uses it? The architecture, designed to make your web apps faster and more modern, introduced a security hole that security firms call an existential threat. This is a live, exploit-ready vulnerability that demands your immediate, focused attention.

The developer community just received a bombshell in the form of CVE-2025-55182 and its sibling, the Next.js-specific CVE-2025-66478. These are not minor bugs; they hold the highest severity rating: Critical 10.0. My 25 years in software development confirm that a flaw this severe in foundational technology cannot be ignored.

Unsafe deserialization is the core of this vulnerability, which sits deep within the React Flight Protocol itself. React Server Components use this proprietary protocol to efficiently send data and component trees between your server and the user’s browser, creating a snappy user experience.

  • The Problem: The framework’s logic for turning received data back into executable code on the server was insufficiently secured.
  • The Exploit:An external attacker crafts a malicious payload in a simple HTTP request. When the server processes this request, the deserializer tricks the application into constructing and executing arbitrary JavaScript code.

This means an attacker, without needing to log in or bypass a firewall, hits a standard server function endpoint, and they achieve Remote Code Execution. Security research firms confirm that newly generated applications are vulnerable by default—a truly terrifying thought.

Target Ecosystem: Next.js and the App Router

This flaw scorched applications using React Server Components, which, for a massive portion of the ecosystem, means Next.js applications utilizing the App Router. Next.js has become the de-facto standard for scalable, performant React applications.

This is not a vulnerability caused by your custom code or a weird configuration; it is an inherited flaw from the core component. Your security is only as strong as your deepest dependency. Imagine the panic when the advisory states that an application using all default configurations is immediately vulnerable—that’s a huge percentage of the modern web.

Mitigation: Patching is the Only Fix

The good news? The framework maintainers moved fast, issuing patches almost immediately. The bad news? You must implement them right now. No quick, clever workarounds or WAF rules can definitively stop this RCE without breaking your server components. The only definitive fix is to upgrade.

Immediate Action Required

This is not a task you can postpone until next sprint—it’s a fire drill that requires immediate attention and a full application rebuild and redeployment.

  • For React Core Users: You must upgrade your core `react-server-dom` packages to the patched versions if you are running any version of React 19.0.0 through 19.2.0. The patched versions include 19.0.1, 19.1.2, or 19.2.1.
  • For Next.js App Router Users: You must upgrade to versions like 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7, depending on your major version line.

Securing your company is an ongoing commitment, not a one-time project. You must check the official advisories from React and Next.js immediately.

Official Security Advisory Links

Here are the official resources detailing the vulnerability and the required patch versions:

Final Thoughts

The vulnerability exposed by CVE-2025-55182 and CVE-2025-66478 is a stark reminder that even the most innovative and trusted frameworks can hide profound risks, turning convenience into a critical security debt. We must be constantly learning and keeping up with the security landscape.

Is your team scrambling to address this critical threat, or do you need expert guidance on hardening your infrastructure and developer security lifecycle?

We can help! Schedule a consultation with us today.

Contact us

Related Articles

Conceptual cybersecurity image illustrating an unstable house of cards made of code panels on an AI foundation, with sensitive data leaking and a hand with a magnifying glass examining a broken lock.
AINews
The Un-Lovable Security Crisis
Conceptual cybersecurity illustration showing a hacker sitting at a multi-monitor setup with code and data on screens. Screens show 'SPOOFING', 'CREDENTIAL THEFT', and a 'MAP' with red connections. Below are 'PRIVILEGE ESCALATION' and red connections. To the right, a centralized system labelled 'SECURE' on a screen is cracked and broken. Stacked below the screen are 'Microsoft Defender' and 'SharePoint Server' layers, also broken. Red data tentacles and chains are breaking through from the hacker's side. An isolated red entity labeled 'DEFENDER' with chains around it and a red figure with a crowbar is also visible. Text labels like 'RedSun', 'BlueHammer', 'UNPATCHED', 'CVE-2026-33825', and 'CVE-2026-32201' are dispersed in the chaotic red area. The overall style is futuristic and high-tech with a focus on a blue, red, grey, and black color palette.
Security Review
Microsoft Defender and SharePoint Vulnerabilities
Conceptual cybersecurity image showing two analysts in a security operations center investigating a malicious PDF document attack. A tablet displays a PDF with embedded red JavaScript code (Prototype Pollution) triggering a 'Zero-Day' exploit that leads to 'Lateral Movement' into a network.
Penetration Testing
Adobe Acrobat Zero-Day Exploited in the Wild