A maximum-severity safety flaw has been disclosed in React Server Parts (RSC) that, if efficiently exploited, might end in distant code execution.
The vulnerability, tracked as CVE-2025-55182, carries a CVSS rating of 10.0.
It permits “unauthenticated distant code execution by exploiting a flaw in how React decodes payloads despatched to React Server Perform endpoints,” the React Workforce mentioned in an alert issued right this moment.
“Even when your app doesn’t implement any React Server Perform endpoints, it might nonetheless be weak in case your app helps React Server Parts.”
In line with cloud safety agency Wiz, the difficulty is a case of logical deserialization that stems from processing RSC payloads in an unsafe method. In consequence, an unauthenticated attacker might craft a malicious HTTP request to any Server Perform endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.
The vulnerability impacts variations 19.0, 19.1.0, 19.1.1, and 19.2.0 of the next npm packages –
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
It has been addressed in variations 19.0.1, 19.1.2, and 19.2.1. New Zealand-based safety researcher Lachlan Davidson has been credited with discovering and reporting the flaw on November 29, 2025.
It is value noting that the vulnerability additionally impacts Subsequent.js utilizing App Router. The problem has been assigned the CVE identifier CVE-2025-66478 (CVSS rating: 10.0). It impacts variations >=14.3.0-canary.77, >=15, and >=16. Patched variations are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
That mentioned, any library that bundles RSC is more likely to be affected by the flaw. This contains, however is just not restricted to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.
Wiz mentioned 39% of cloud environments have cases weak to CVE-2025-55182 and/or CVE-2025-66478. In gentle of the severity of the vulnerability, it is suggested that customers apply the fixes as quickly as potential for optimum safety.
