CVE-2025-55182: Critical Remote Code Execution Vulnerability in React 19 & Next.js (CVSS 10.0)

Published: Wed Dec 03 2025 | Software Mirrors

A critical remote code execution (RCE) vulnerability tracked as CVE-2025-55182 was disclosed on November 29, 2025, affecting all versions of React 19 prior to the December 2025 patches and popular frameworks that use React Server Components (RSC), most notably Next.js.

With a perfect CVSS 10.0 score, this is one of the most severe vulnerabilities ever disclosed in the React ecosystem, enabling unauthenticated attackers to execute arbitrary code on affected servers with a single HTTP request.

CVE-2025-55182: Critical Remote Code Execution Vulnerability in React 19 & Next.js (CVSS 10.0)

Who Discovered the Vulnerability?

The vulnerability was discovered and responsibly disclosed by security researcher Lachlan Davidson (lachlan2k on GitHub) on November 29, 2025.

Lachlan identified that React’s server-side RSC payload parser improperly deserialized untrusted user input, allowing injection of executable JavaScript objects, including Function constructors and dangerous prototypes.

Meta’s security team confirmed the report within hours and shipped fixes in less than 36 hours, an exceptionally fast coordinated response praised widely by the community.

Technical Root Cause

React Server Components use a custom binary-like streaming format to send data between client and server. During parsing of this RSC payload on the server, React 19 (up to 19.2.0) blindly trusted and evaluated user-controlled chunks.

An attacker could craft a malicious POST request containing serialized function objects such as:

{"type":"function","value":"function malicious()
 { require('child_process').execSync('rm -rf /') }"}

When deserialized on the server, this resulted in immediate arbitrary code execution with the privileges of the Node.js process.

Affected Versions

  • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

  • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

  • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

  • Next.js using App Router with versions ≥14.3.0-canary.77, ≥15 and ≥16

  • Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Patched Versions (Released December 3, 2025)

  • React: 19.0.1, 19.1.2, 19.2.1

  • Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Real-World Impact

  • Unauthenticated RCE – No login or user interaction required

  • Full server compromise: read/write files, steal environment variables, database credentials, API keys

  • Potential for ransomware, crypto mining, data exfiltration, lateral movement

  • Public proof-of-concept exploits released within hours of disclosure

  • Active scanning and confirmed in-the-wild exploitation reported within 24–48 hours

Emergency Mitigations by Hosting Providers

Even before users could upgrade, major platforms deployed runtime protections:

  • Vercel – Emergency block deployed December 1, 2025

  • Cloudflare – Automatic exploit payload blocking for Workers and Pages

  • Netlify – Runtime mitigation rolled out globally

  • Deno Deploy & Fly.io – Similar payload filters activated

Manual WAF rules blocking POST bodies containing "function(" or RSC hints followed by $@ were also widely shared.

Recommendations for Developers & Companies

  1. Upgrade immediately to React ≥ 19.0.1, 19.1.2, 19.2.1 and Next.js ≥ 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

  2. If running in production, verify your deployment platform has applied runtime mitigations

  3. Rotate all secrets and credentials exposed on potentially compromised instances

  4. Monitor logs for suspicious POST requests to server actions or route handlers

Timeline Summary

  • Nov 29, 2025 – Lachlan Davidson privately reports to Meta

  • Dec 1–2, 2025 – Patches released for React & Next.js

  • Dec 2, 2025 – CVE-2025-55182 officially published

  • Dec 2–3, 2025 – Mass scanning and active exploitation observed

  • Dec 3, 2025: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

Conclusion

CVE-2025-55182 serves as a stark reminder of the risks introduced by powerful new primitives like React Server Components when deserialization trust boundaries are not strictly enforced. Thanks to responsible disclosure and an extraordinarily rapid fix from Meta and the Next.js team, the window of maximum danger was kept remarkably short.

Upgrade now. There is no safe way to run an unpatched React 19 or Next.js application exposed to the internet.

Related to CVE-2025-55182: Critical Remote Code Execution Vulnerability in React 19 & Next.js (CVSS 10.0)

Picture Collage Maker Discount 20% OFF
(4.3)

Picture Collage Maker Discount 20% OFF

Multimedia

$23.92$29.90
DroidKit for Windows - Full Toolkit - 1-Year Subscription/5 Devices
(3.7)

DroidKit for Windows - Full Toolkit - 1-Year Subscription/5 Devices

Utilities

$69.99
ABBYY FineReader PDF Corporate (yearly plan) - Discount 10% OFF
(4.3)

ABBYY FineReader PDF Corporate (yearly plan) - Discount 10% OFF

Office Tools

$148.50$165.00
Movavi Video Suite 2026
(4.5)

Movavi Video Suite 2026

Multimedia

$29.95
Next →
Loading...