CVE-2025-55182

Name of the Vulnerable Software and Affected Versions React versions 19.0.0 through 19.2.0 react-server-dom-parcel versions 19.0.0 through 19.2.0 react-server-dom-turbopack versions 19.0.0 through 19.2.0 react-server-dom-webpack versions 19.0.0 through 19.2.0 Next.js versions 15 and 16 Next.js Canary versions 14.3.0 and later

Description A critical remote code execution vulnerability exists in React Server Components due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This allows unauthenticated attackers to execute arbitrary code on the server. The vulnerability affects React versions 19.0.0 through 19.2.0, and frameworks like Next.js, react-router, Waku, Parcel RSC, and Vite RSC. Exploitation is actively occurring, with proof-of-concept exploits publicly available. Approximately 200,000+ React applications and 30,000+ are potentially exposed. The vulnerability stems from a missing hasOwnProperty check during module loading. Attackers can send crafted HTTP POST requests to exploit the flaw. The

vm#runInThisContext

function is involved in the execution of arbitrary code.

Recommendations Upgrade to React version 19.0.1 Upgrade to React version 19.1.2 Upgrade to React version 19.2.1 Upgrade Next.js to version 16.0.7 or later Restrict access to vulnerable modules or functions as a temporary workaround Consider blocking POST requests with

Content-Transfer-Encoding: base64

headers