Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed.
Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
Timeline
Dec 16, 2025
Microsoft details active attacks across Windows and Linux
By 2025-12-16, Microsoft reported active exploitation beginning on 2025-12-05 against both Windows and Linux targets, including reverse shells, Cobalt Strike, RATs, cryptominers, and theft of cloud identity tokens. The report highlighted cross-cloud post-exploitation risk affecting Azure, AWS, and GCP environments.
Dec 12, 2025
Metasploit adds an exploit module for React2Shell
On 2025-12-12, Rapid7 announced that Metasploit had added an exploit module for CVE-2025-55182, making offensive testing and potential abuse easier for defenders and attackers alike. This followed earlier public PoC and scanner releases.
Dec 11, 2025
React and Next.js disclose two additional RSC vulnerabilities
On 2025-12-11, React/Next.js disclosed two additional upstream React Server Components issues: CVE-2025-55183, a source code exposure flaw, and CVE-2025-55184, a denial-of-service issue. Next.js stated the original React2Shell patch remained effective against the RCE and released updated fixed versions for the new issues.
Dec 6, 2025
CISA adds CVE-2025-55182 to the KEV catalog
On 2025-12-06, CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog after active exploitation was confirmed. Federal agencies were given a remediation deadline of 2025-12-26 under BOD 22-01.
Dec 5, 2025
Kaspersky honeypots record attacks starting December 5
Kaspersky reported that its honeypots began detecting exploitation attempts for CVE-2025-55182 on 2025-12-05, with activity increasing rapidly afterward. The attacks included delivery of botnets, cryptominers, and credential theft tooling.
Dec 5, 2025
Post-exploitation campaigns deploy miners, RATs, and remote tools
By early December 2025, observed intrusions were leading to shell access, credential harvesting, Sliver or MeshAgent deployment, cryptomining with XMRig, and other malware activity on compromised servers and containers. Reports also described attempts to steal cloud credentials and establish persistence.
Dec 4, 2025
Threat actors linked to China begin exploiting React2Shell
Security vendors reported that exploitation activity was attributed in part to China-nexus groups including Earth Lamia and Jackpot Panda, with some reporting additional clusters such as UNC5174. These campaigns targeted exposed applications shortly after disclosure for initial access and follow-on compromise.
Dec 4, 2025
Mass scanning and in-the-wild exploitation begin
After public exploit material appeared, researchers observed widespread scanning and active exploitation of internet-facing React and Next.js applications beginning on 2025-12-04. Telemetry and honeypots recorded thousands of attempts against exposed RSC endpoints.
Dec 4, 2025
Public exploit code and detection templates appear
By 2025-12-04, public proof-of-concept material and community detection content for CVE-2025-55182 had been released, including Nuclei templates and other exploit-related resources. Multiple reports noted that public exploit availability sharply increased the risk of opportunistic attacks.
Dec 3, 2025
Hosting and security providers deploy temporary WAF mitigations
Around the public disclosure on 2025-12-03, multiple providers and security vendors rolled out temporary protections such as WAF rules and rapid security rules to help shield exposed React and Next.js deployments. Advisories emphasized these were stopgap measures and not substitutes for patching.
Dec 3, 2025
React and Next.js disclose critical RCE and release patches
On 2025-12-03, React publicly disclosed CVE-2025-55182, a CVSS 10.0 unauthenticated RCE in React Server Components, and released fixed React package versions 19.0.1, 19.1.2, and 19.2.1. Next.js simultaneously published its downstream advisory for affected App Router releases and provided patched versions and upgrade guidance.
Dec 3, 2025
Lachlan Davidson reports React Server Components flaw via Meta bug bounty
The critical deserialization flaw later assigned CVE-2025-55182 was initially reported to Meta by researcher Lachlan Davidson through Meta’s bug bounty program, starting coordinated validation and remediation work.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like infosec writeups, rapid7 blog, cyber security news, securelist and seqrite com
Related Stories
Critical React Server Components RCE Hits Next.js and Related Ecosystem
A critical remote code execution vulnerability in React Server Components-related packages is affecting widely used parts of the React ecosystem, including deployments tied to **Next.js**, **React Router**, **Expo**, **Redwood SDK**, **Waku**, and `@vitejs/plugin-rsc`. The flaw allows an unauthenticated attacker to execute arbitrary code on a vulnerable system through an HTTP request. Affected versions include `19.0`, `19.1.0`, `19.1.1`, and `19.2.0` of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, while patched releases are `19.0.1`, `19.1.2`, and `19.2.1`. Authorities warned that exploitation is already active in Finland and that public exploit methods are available, increasing the likelihood of rapid opportunistic attacks against exposed applications. Officials said attackers may use the vulnerability not only for visible abuse such as cryptomining but also to establish persistent access, and urged organizations to patch immediately and assess internet-exposed systems for signs of compromise.
1 weeks ago
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Security researchers have identified three new vulnerabilities in React Server Components (RSC) following the recent patch for the critical React2Shell exploit. These flaws include two high-severity Denial-of-Service (DoS) vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and a medium-severity Source Code Exposure vulnerability (CVE-2025-55183). The DoS vulnerabilities allow attackers to send malicious HTTP requests to Server Function endpoints, triggering infinite loops that hang the server and exhaust CPU resources, effectively taking applications offline. The source code exposure flaw enables attackers to craft HTTP requests that can leak the source code of server functions, potentially exposing hardcoded secrets or sensitive logic, though runtime secrets remain protected. The affected packages are `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, impacting React versions 19.0.0 through 19.2.2 and frameworks such as Next.js, Waku, and React Router. Initial patches released for these vulnerabilities were incomplete, necessitating immediate upgrades to versions 19.0.3, 19.1.4, and 19.2.3 to ensure full protection. The vulnerabilities were discovered by security researchers during attempts to bypass previous mitigations, highlighting the importance of rapid patch adoption and ongoing scrutiny of critical code paths after major disclosures. Users are strongly advised to update affected packages and monitor official channels for further security updates.
1 months agoDenial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Multiple vulnerabilities have been identified in React Server Components (RSC), specifically CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, affecting several versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. These vulnerabilities, discovered following the React2Shell incident, include a high-severity denial-of-service (DoS) flaw (CVE-2025-55184) caused by unsafe deserialization of structured input in the RSC Flight protocol, which can be exploited by sending specially crafted requests that trigger infinite loops or event-loop lockups on the server. The vulnerabilities also raise concerns about potential source code exposure and highlight the risk of residual flaws being discovered after major disclosures. The React Foundation has issued advisories and patches for affected versions, and the Canadian Centre for Cyber Security has urged administrators to update impacted libraries and frameworks, including popular tools such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. No public exploits are currently available, but the vulnerabilities have a higher-than-average likelihood of exploitation, emphasizing the importance of prompt remediation and ongoing vigilance for follow-on issues after initial vulnerability disclosures.
1 months ago