Millions of web applications face immediate risk following the disclosure of a catastrophic flaw in the React Server Components (RSC) architecture. Identified as CVE-2025-55182, the vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) with near-perfect reliability.
React is the world’s most widely used library for building web interfaces, powering the front ends of industry giants like Facebook, Netflix, and Airbnb. Next.js serves as the infrastructure layer for React, handling how these applications run on servers and delivering content to users. Together, they form the backbone of a significant portion of the modern internet.
The vulnerability targets a specific architecture called React Server Components (RSC). RSC allows parts of a webpage to be rendered on the server rather than the user’s device to improve performance. The flaw lies in the communication line—specifically the “Flight” protocol—between the server and the user.
Promo
In plain terms, this vulnerability acts as a digital master key. Because the system fails to properly check incoming data, an attacker can send a malicious command that the server blindly accepts and executes. This grants them full control over the backend infrastructure without needing a password or special access, allowing them to steal data, install ransomware, or hijack the server for botnet attacks.
Buried within the “Flight” data transport protocol, the bug stems from unsafe deserialization of HTTP requests. Default configurations of Next.js, the ecosystem’s dominant framework, are exploitable out of the box, requiring no specific coding errors by developers to trigger.
Meta and Vercel have released emergency patches for React 19 and Next.js versions 14 through 16. With 39% of cloud environments estimated to be vulnerable, security teams are urged to upgrade immediately.
The Mechanics of a CVSS 10.0 Flaw
Security professionals rarely encounter a vulnerability with a perfect severity score. The official advisory assigns this flaw a CVSS rating of 10.0, indicating maximum impact and trivial exploitability.
At the heart of this crisis lies the “Flight” protocol, a specialized data transport mechanism designed to facilitate communication between React Server Components and the client.
Unlike typical remote code execution bugs that demand complex exploit chains or prior authentication, this flaw requires only a single, specifically crafted HTTP request.
The Wiz Research Team, who analyzed the flaw, explain the root cause:
“The vulnerability fundamentally resides in the react-server package and its handling of the RSC ‘Flight’ protocol.”
“It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner.”
“When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly.”
Deserialization vulnerabilities occur when an application trusts incoming data structures without sufficient validation. In this instance, the server blindly processes the malicious payload, converting it into executable logic.
Wiz confirmed that the exploit is remarkably stable. It does not depend on race conditions, specific memory states, or complex timing windows often associated with memory corruption bugs.
Highlighting the danger for automated attacks, the Wiz Research Team noted, “Exploitation requires only a crafted HTTP request and has shown near-100% reliability in testing.”
This stability suggests that once payload details become public, automated botnets could scan for and compromise servers at scale within hours.
The attack surface is particularly dangerous because it bypasses standard authentication layers. Any endpoint configured to handle RSC requests acts as an open door.
The React Team warns, “An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.”
Ecosystem Blast Radius: Next.js and Beyond
While the vulnerability exists in the core `react-server` package, its impact is magnified by its presence in the default configurations of major meta-frameworks.
Next.js, widely regarded as the standard for modern React development, is vulnerable in all versions using the App Router. This includes versions 14.x, 15.x, and 16.x, which rely heavily on RSC for data fetching and rendering.
Wiz’s technical analysis emphasizes that this is not a result of developer negligence or misconfiguration.
The Wiz Research Team stated, “Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.”
The vulnerability extends beyond Next.js to include other modern frameworks adopting the RSC architecture. The Next.js security update confirms that Waku, RedwoodJS, and React Router are also affected if they utilize the vulnerable React packages.
According to the official CVE-2025-55182 advisory:
“A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.”
“The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.”
Data from Wiz indicates that the exposure is systemic, estimating that 39% of cloud environments currently host vulnerable instances.
This wide footprint is due to the transitive nature of the dependency. Developers might not realize they are using `react-server-dom-webpack` or `react-server-dom-turbopack` directly, as these are often bundled deep within framework internals.
The distinction between “using” Server Functions and merely “supporting” them is critical here. The infrastructure itself is the target, not necessarily the developer’s custom endpoints.
Remediation and Defense
Meta and Vercel have coordinated a simultaneous release of patches. React versions 19.0.1, 19.1.2, and 19.2.1 address the core flaw by hardening the deserialization logic.
For Next.js users, upgrading to the latest patch releases is the only definitive fix. Vercel has released versions 14.3.0-canary.88, 15.0.5, 15.1.9, and 16.0.7 to mitigate the issue.
There are no configuration workarounds. Disabling Server Actions or specific routes is insufficient if the underlying RSC infrastructure remains active.
Cloudflare’s WAF protections offer a proactive shield for customers behind their proxy. The company has deployed rules to filter malicious Flight payloads before they reach the origin server.
However, relying solely on WAF protections is insufficient. Internal traffic, direct-to-origin requests, or non-proxied endpoints could still bypass edge defenses.
Emphasizing the need to patch internal tools and non-public apps, the React Team cautioned, “Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.”
Security teams should prioritize identifying all applications with `react-server` dependencies, regardless of whether they actively use Server Actions.
With the vulnerability details now public, the window for patching before automated exploitation begins is rapidly closing.