On December 3, 2025, React developers disclosed CVE-2025-55182, an unauthenticated remote code execution vulnerability with a CVSS score of 10 that was disclosed to the open-source team only four days ago, on November 29. CVE-2025-55182 ultimately arises from an unsafe deserialization issue in React Server Components (specifically React Flight). Successful exploitation allows for remote code execution by “exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.”
When a server receives a specially crafted React Flight payload, the internal deserialization logic performs insufficient validation of its structure. By exploiting this weakness, an attacker can cause React to misinterpret attacker-controlled values as internal references or objects. This permits unintended server-side behaviors and can lead to the execution of server-privileged code paths within the React Server Components runtime.
Next.js includes a general mechanism for handling React Server Actions, which relies on React’s server-side Flight deserializer. Preliminary code analysis suggests that this deserialization logic may be reachable by default, without requiring the presence of user-defined Server Actions or any route-specific discovery.
What’s affected?
Per the React team’s advisory, the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
The issue is fixed in versions 19.0.1, 19.1.2, and 19.2.1 of React. Fixes should be applied immediately.
Known affected React frameworks and bundlers are as follows, but note that this list is likely to grow: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. See the React blog for the latest information on affected frameworks and components.
The React blog explicitly notes that (emphasis ours):
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
The Next.js team similarly has a security bulletin here advising users of stable 15.x and 16.x version streams to update to a fixed version immediately. Fixed versions of Next.js are 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. Note: The vulnerability was initially tracked in Next.js as CVE-2025-66478, but at time of writing, that CVE identifier had been rejected as a duplicate of CVE-2025-55182.
Library and framework vulnerabilities like these are often difficult to evaluate from an exploitability perspective, as vulnerable components or functions can be implemented in different places and ways across tech stacks. The key question for vulnerabilities in frameworks like React and Next.js is whether there are one or more remotely exploitable attack vectors that are both widely deployed and vulnerable in production configurations. Community reaction to these vulnerabilities has emphasized that exploitation is possible remotely and without authentication, and that default configurations of Next.js applications are vulnerable out of the box. VulnCheck’s research team will continue to assess the vulnerability and its exploitability.
About VulnCheck
The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and curate. For more research like this, see XWiki Under Increased Attack, VulnCheck Research Highlights: November 2025, and ICTBroadcast Command Injection Actively Exploited.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence.