CVE-2025-55182

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.0

Description A pre-authentication remote code execution issue exists in React Server Components, specifically affecting the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. The flaw is caused by unsafe deserialization of payloads from HTTP requests sent to Server Function endpoints, specifically involving the hasOwnProperty parameter within the requireModule() function. This allows an unauthenticated remote attacker to execute arbitrary JavaScript code on the server.

Real-world exploitation has been extensive, including:

Recommendations Update React Server Components and affected packages to versions that fix this issue. Rotate and revoke all potentially exposed secrets, including API keys, database passwords, SSH keys, and cloud credentials. Enforce the use of IMDSv2 on AWS instances and apply least-privilege IAM roles. Deploy WAF or RASP rules specifically tuned to detect and block Next.js SSR deserialization attack patterns. Implement egress filtering to monitor and block unusual outbound HTTP traffic, particularly to port 8080. As a temporary mitigation, restrict access to Server Function endpoints to minimize the risk of exploitation.