Next.js/React Server Components RCE (CVE-2025-55182 & CVE-2025-66478)

Invicti has identified an unauthenticated remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) and Next.js (CVE-2025-66478). The vulnerability exists in how React decodes payloads sent to React Server Function endpoints. An unauthenticated attacker can craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if it supports React Server Components. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Affected frameworks and bundlers include Next.js, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

An unauthenticated attacker can execute arbitrary code on the server by sending a crafted HTTP request to any Server Function endpoint. This can lead to complete system compromise, unauthorized data access, data theft, service disruption, and potential lateral movement within the network. The vulnerability requires no authentication and can be exploited remotely without user interaction.

Upgrade immediately to the latest patched version. For Next.js, upgrade to the latest patched version in your release line: 15.0.5 (for 15.0.x), 15.1.9 (for 15.1.x), 15.2.6 (for 15.2.x), 15.3.6 (for 15.3.x), 15.4.8 (for 15.4.x), 15.5.7 (for 15.5.x), or 16.0.7 (for 16.0.x). If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release. For React Server Components packages, upgrade to versions 19.0.1, 19.1.2, or 19.2.1 of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack. For other frameworks (React Router, Waku, Expo, Redwood SDK), follow the specific upgrade instructions in the React security advisory.