Key Takeaways
- CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components.
- Next.js assigns a related identifier, CVE-2025-66478, due to its use of the same underlying Flight protocol.
- Vulnerable versions include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across multiple React 19 releases.
- Frameworks such as Next.js, React Router (RSC mode), Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku bundle these vulnerable packages.
- Aikido now tracks 10/10 CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repos to scan for it.
TLDR: See How You Are Affected
Aikido now tracks CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repositories to determine whether your application or its dependencies include vulnerable React Server Component implementations.
Remediation Steps
1. Upgrade React
Install a patched React version such as 19.0.1, 19.1.2, or 19.2.1. These include hardened input handling.
2. Upgrade Frameworks That Bundle RSC
Update your framework to its corresponding patched version.
Next.js users should upgrade to the latest patched release within their major version line.
Anyone on a canary version starting at 14.3.0-canary.77 should switch back to the latest stable 14.x release.
3. Update RSC-Enabled Bundlers and Plugins
Ensure you update:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
Each has released versions that include the fixed RSC implementation.
4. Validate With Aikido
After upgrading, run a scan to confirm that:
- All vulnerable versions have been removed
- No transitive dependencies remain affected
- Framework and bundler integrations are fully patched
Background
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React Server Components. It also affects the broader ecosystem of frameworks that rely on the React Flight protocol. Next.js has assigned CVE-2025-66478 to track its exposure, which stems from the same underlying issue.
The vulnerability allows specially crafted requests to trigger unsafe deserialization behavior within the server-side RSC implementation, which can lead to remote code execution under certain conditions. It affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as downstream integrations that embed these packages.
Deep Dive
Nature of the Vulnerability
The issue stems from unsafe handling of serialized payloads in the React Flight protocol. Malformed or adversarial payloads can influence server-side execution in unintended ways. Patched React versions include stricter validation and hardened deserialization behavior.
Why You May Be Affected Even Without Using Server Functions
Frameworks commonly embed the RSC implementation by default. An application can therefore be exposed even if it does not explicitly define Server Functions. The integration layer itself can invoke the vulnerable code path.
Affected Versions
React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable.
Next.js versions beginning at 14.3.0-canary.77, as well as all 15.x and 16.x releases prior to their patched versions, are affected due to their use of the RSC implementation.
Hosting Environment Notes
Vercel has implemented request-layer protections to reduce exposure while users upgrade, but these do not remediate the vulnerability. All users should update to patched versions as soon as possible.
Severity
CVE Score: 10.0 Critical
Impact: Remote code execution
Attack Vector: Remote and unauthenticated
Timeline
November 29: Vulnerability reported
November 30: Confirmation and fix development
December 1: Coordination with framework maintainers and hosting providers
December 3: Public patches released and CVE disclosed
Proof of Concept (Credit to @maple3142)
The following proof-of-concept video, originally published by @maple3142 on X, demonstrates how specially crafted multipart requests can exploit unsafe desreialization in affected React and Next.js versions. All credit to the original author.
Watch the full proof-of-concept video here.
The researcher demonstrated that by manipulating RSC’s deserialization logic, an attacker can control the Chunk.prototype.then resolution pathway, leading to execution of attacker-controlled logic during Blob deserialization. Full technical details are available in the original POC published on GitHub Gist by @maple3142.
Scan Your Codebase Now
Aikido tracks CVE-2025-55182 and CVE-2025-66478 across all supported ecosystems. Connect your repositories to perform a full scan and quickly assess your exposure. Start for free with Aikido here.
References
React Team. CVE-2025-55182 Disclosure
Vercel Security Notice on CVE-2025-55182 and CVE-2025-66478
Secure your software now
.avif)
