CVE-2025-55182 – React Server Components Flight Protocol Deserialization RCE

Vendor Description: –

React Server Components (RSCs) are a contemporary React feature that enables components to be rendered only on the server while staying completely integrated with the existing React component paradigm. This method allows developers to use server-side resources to reduce client-side JavaScript execution while improving application speed. RSCs employ the Flight Protocol to serialize and stream component data between the server and the client. By transferring rendering functionality to the server, React hopes to provide faster load times and more efficient web applications. React and its server-side features are commonly used in production on current web platforms.

CVE-2025-55182 Description:-

CVE-2025-55182 arises from insecure deserialization logic in the RSC Flight protocol, where incoming serialized component data is decoded and mapped into internal “Chunk” objects without robust validation of structure, type, or origin. The server runtime assumes that only trusted React clients will send well‑formed Flight payloads, so it treats the request body as a trusted stream of chunks representing components, props, closures, and server actions, effectively parsing untrusted user input directly into sensitive internal objects. Attackers can exploit this trust boundary failure to inject a fake Chunk object and manipulate internal references and prototype chains to gain access to powerful server‑side JavaScript primitives.

Technically, public analyses describe a multi‑stage exploit chain: the attacker crafts a malicious Flight payload that abuses the way RSC resolves chunk dependencies and serializes references, enabling prototype pollution and control over properties like then on Object.prototype and internal fields referencing Function constructors. By carefully setting fields such as those used for form data and prefix handling, the payload coerces React’s RSC runtime into invoking Function(attacker_controlled_code), which executes arbitrary JavaScript in the context of the Node.js (or equivalent) server process. Because the vulnerability is in the core Flight decoding path, even applications that do not explicitly define server functions but have RSC enabled can be exploitable, provided the vulnerable react-server-dom-* packages are present and reachable over HTTP

Impact

• Unauthenticated remote code execution (RCE): An attacker can send a single crafted HTTP request to an RSC/Server Function endpoint and execute arbitrary JavaScript on the server, usually with the same privileges as the Node.js or application process.
• Full application and data compromise: Once code execution is obtained, attackers can read and modify application data, exfiltrate environment variables and secrets (API keys, DB credentials, cloud tokens), and pivot to internal services reachable from that host.
• Cloud and lateral movement risk: In cloud‑native deployments (Kubernetes, serverless, containers), RCE can be used to access metadata services, assume IAM roles, deploy additional payloads, and move laterally across workloads.
• Widespread mass exploitation: Threat‑intel reports show multiple crimeware and state‑linked groups scanning for and exploiting this bug at scale, with PoCs and automated tools already public.
• Business impact: Successful exploitation can lead to data breaches, service outages, regulatory exposure, and potential supply‑chain impact if compromised servers serve malicious content to downstream users.

Mitigations

• Upgrade React RSC packages: Move react-server-dom-* packages (webpack/parcel/turbopack) to patched versions (e.g., 19.0.1, 19.1.2, or 19.2.1+) as recommended by the React team. This is the only definitive fix; vulnerable versions remain exploitable regardless of network controls.
• Upgrade frameworks (Next.js, etc.): For Next.js, upgrade to one of the patched releases (such as 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7, or vendor‑recommended equivalents) and ensure your lockfile actually resolves to fixed React/RSC versions. Other RSC frameworks (React Router RSC, Waku, Redwood, Vite/Parcel plugins) should be updated to their latest advisories that bundle the hardened RSC implementation.
• Audit for vulnerable components: Use SCA/SBOM tools or npm/yarn/pnpm audits to identify where vulnerable react-server-dom-* and affected framework versions are present across all services, including internal and staging systems.