CVE-2025-55182

Name of the Vulnerable Software and Affected Versions React versions 19.0.0 through 19.2.1 Next.js versions 15.x and 16.x

Description React Server Components (RSC) is affected by a critical remote code execution (RCE) vulnerability (CVE-2025-55182) with a CVSS score of 10.0. This vulnerability stems from unsafe deserialization of HTTP request payloads within Server Function endpoints. Exploitation allows unauthenticated attackers to execute arbitrary code on the server. Multiple threat actors, including China-linked groups (Earth Lamia and Jackpot Panda), have been observed actively exploiting this vulnerability shortly after its public disclosure. Proof-of-concept (PoC) exploits are publicly available, increasing the risk of widespread exploitation. The vulnerability impacts applications using React 19 and Next.js, and potentially other frameworks utilizing RSC. Cloudflare and other vendors have implemented WAF rules to mitigate the risk, but patching remains the most effective solution.

Recommendations React versions 19.0.0 through 19.2.0 are vulnerable. Upgrade to React version 19.0.1, 19.1.2, or 19.2.1 immediately. Next.js versions 15.x and 16.x are vulnerable. Update to the latest patched version. Apply any available WAF rules from your security vendor. Monitor systems for suspicious activity and review logs for potential exploitation attempts. Disable React Server Functions if possible until a patch can be applied.