CVE-2025-55182 Overview
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The vulnerability affects the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, allowing unauthenticated attackers to execute arbitrary code on the server.
Critical Impact
This vulnerability allows unauthenticated remote attackers to achieve full server compromise through insecure deserialization of HTTP request payloads. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog, and active exploitation by threat actors has been observed in the wild.
Affected Products
- Facebook React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Vercel Next.js versions 14.3.0 (canary77 through canary87)
- Vercel Next.js versions 15.6.0 (including canary releases 0-57)
- Vercel Next.js version 16.0.0
Discovery Timeline
- December 3, 2025 - CVE-2025-55182 published to NVD
- December 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55182
Vulnerability Analysis
This vulnerability is classified as Insecure Deserialization (CWE-502) and represents a severe security flaw in the React Server Components architecture. The core issue lies in how Server Function endpoints process incoming HTTP requests. When a client sends data to a Server Function, the server-side code deserializes the payload without proper validation or sanitization. This unsafe deserialization allows attackers to craft malicious payloads that, when processed by the server, result in arbitrary code execution.
The pre-authentication nature of this vulnerability is particularly concerning, as it requires no prior authentication or authorization to exploit. An attacker simply needs network access to the vulnerable endpoint to attempt exploitation. The affected packages (react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack) all share the same vulnerable deserialization logic, making any application using React Server Components with these bundlers susceptible.
Root Cause
The root cause stems from insufficient input validation during the deserialization process of Server Function payloads. The React Server Components implementation trusts incoming data from HTTP requests and passes it directly to deserialization routines without verifying the integrity or safety of the serialized objects. This allows attackers to inject malicious serialized objects that execute arbitrary code when deserialized on the server.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker can exploit this vulnerability by sending specially crafted HTTP requests to Server Function endpoints. The malicious payload is processed by the deserialization logic, leading to code execution with the privileges of the Node.js process running the application. Given the widespread adoption of React and Next.js in production environments, this vulnerability has an extremely large attack surface across internet-facing applications.
According to AWS Security Blog analysis, threat actors have been rapidly weaponizing this vulnerability for initial access operations.
The vulnerability can be triggered by sending malicious HTTP POST requests to Server Function endpoints. The serialized payload bypasses standard input validation and is processed by the vulnerable deserialization code, resulting in arbitrary command execution on the server. Proof-of-concept exploits are publicly available on GitHub demonstrating the exploitation methodology.
Detection Methods for CVE-2025-55182
Indicators of Compromise
- Unusual POST requests to Server Function endpoints containing serialized JavaScript objects with unexpected class types or prototype chains
- Server-side error logs showing deserialization failures or unexpected object instantiation attempts
- Anomalous child process spawning from the Node.js application process
- Network connections to unknown external hosts originating from the web application server
Detection Strategies
- Monitor HTTP request bodies for suspicious serialized payload patterns targeting Server Function routes
- Implement Web Application Firewall (WAF) rules to detect and block known exploitation patterns associated with CVE-2025-55182
- Enable detailed logging for Server Function invocations and analyze for anomalous deserialization activity
- Deploy runtime application self-protection (RASP) solutions capable of detecting insecure deserialization attempts
Monitoring Recommendations
- Configure alerting for unexpected process execution on servers running React/Next.js applications
- Monitor for outbound network connections from application servers that deviate from normal baselines
- Review application logs for serialization/deserialization errors that may indicate exploitation attempts
- Track changes to critical system files and configurations on affected servers
How to Mitigate CVE-2025-55182
Immediate Actions Required
- Immediately audit all applications using React Server Components to identify vulnerable versions
- Upgrade to patched versions of React and Next.js as specified in vendor security advisories
- Implement network segmentation to limit exposure of vulnerable applications
- Deploy WAF rules to block known CVE-2025-55182 exploitation patterns as a temporary measure
Patch Information
Facebook and Vercel have released security patches to address this vulnerability. Organizations should consult the React Blog Security Advisory and Facebook Security Advisory for specific patched version information and upgrade guidance. Given the active exploitation status and CISA KEV listing, patching should be treated as an emergency priority.
Additional technical discussion is available on the Openwall OSS Security mailing list.
Workarounds
- If immediate patching is not possible, consider temporarily disabling Server Functions or placing affected applications behind additional authentication layers
- Implement strict input validation at the network edge using a reverse proxy or WAF to filter potentially malicious serialized payloads
- Restrict network access to Server Function endpoints to trusted IP ranges where feasible
- Monitor the CISA KEV Catalog entry for updated remediation guidance
# Example: Check installed React version for vulnerability
npm list react | grep -E "19\.(0\.0|1\.[01]|2\.0)"
# Example: Check installed Next.js version
npm list next | grep -E "(14\.3\.0-canary|15\.6\.0|16\.0\.0)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
