Security Update: Critical RCE in React Server Components & Next.js (CVE-2025-55182)

A Critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-55182, has been discovered in Next.js applications utilizing React Server Components (RSC) and Server Actions. This vulnerability stems from insecure deserialization within the underlying “Flight” protocol used by React. Unauthenticated remote attackers can exploit this flaw to execute arbitrary code on the server, potentially leading to a complete compromise of the application and underlying system.

Given the widespread adoption of Next.js and the critical severity of the flaw (CVSS 10.0), immediate action is required.

Affected Products

The vulnerability affects the React Server Components ecosystem, which is heavily integrated into modern frameworks like Next.js. Specifically, it impacts the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages.

Affected Versions:

• React Server Components: Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
• Next.js: Applications using App Router (Next.js 15.x, 16.x) or experimental Server Actions are likely affected by default.

Vulnerability Details

CVE-2025-55182 is an insecure deserialization vulnerability that occurs at “Server Function endpoints.”

The flaw exists because the server-side handler for the React “Flight” protocol unsafely deserializes payloads from HTTP requests. The server fails to properly validate serialized input before processing it. An attacker can trigger this vulnerability by sending a specially crafted POST request to the root path containing:

1. Specific Next-Action headers.
2. Malformed multipart data payloads.

When processed, this malformed payload triggers the insecure deserialization, allowing the attacker to inject and execute malicious code remotely.

Detection

Detectify customers can now test whether their applications are exposed to this RCE.

The vulnerability assessment released by Detectify checks for the presence of the insecure deserialization flaw by sending a specially crafted POST request to the root path with Next-Action headers and malformed multipart data. The test safely identifies the vulnerability by observing specific error responses from the server that confirm the deserialization failure, without executing malicious code.

Mitigation

Upgrade Immediately: The most effective mitigation is to upgrade the affected packages to their patched versions.

• React Server Components: Upgrade react-server-dom-* packages to versions 19.0.1, 19.1.2, or 19.2.1 (or later).
• Next.js: Upgrade to the latest patch release for your major version (e.g., Next.js 15.0.5+, 16.0.7+).

If immediate patching is not feasible: You may be able to mitigate the risk by applying Web Application Firewall (WAF) rules to block requests containing suspicious Next-Action headers or malformed multipart bodies, though this is not a substitute for patching.

Patch availability

The vulnerability is fixed in the following versions:

• React Server Components: 19.0.1, 19.1.2, and 19.2.1.
• Next.js: Various patch releases (check the official Next.js release log for your specific version branch).

Users are strongly advised to update to these versions.

Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!

References
Vendor Advisory