URGENT: Critical RCE Vulnerability in React Server Components (CVE-2025-55182)

URGENT: Critical RCE Vulnerability in React Server Components (CVE-2025-55182)

Your Next.js app may be compromised right now. Here's exactly what to do.

If you're running a Next.js 15+ or 16+ application with React Server Components, stop reading and run:

npm install next@latest

Then come back and read why.

What Happened

On December 3rd, 2025, the React team disclosed CVE-2025-55182 — a critical Remote Code Execution (RCE) vulnerability with a CVSS score of 10.0 (the maximum possible severity).

An attacker can craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on your server. No authentication required.

The terrifying part: your app is vulnerable even if you don't explicitly use Server Functions, as long as you're using React Server Components.

Am I Affected?

YES, if you're using:

- Next.js 15.x (any version before the patch)

- Next.js 16.x (any version before the patch)

- Next.js 14.3.0-canary.77 or later canary releases

- Any framework using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack at versions 19.0, 19.1.0, 19.1.1, or 19.2.0

NOT affected:

- Next.js 13.x

- Next.js 14.x stable (non-canary)

- Pages Router applications (only App Router is affected)

- Edge Runtime

Fix It NOW: Step-by-Step

Step 1: Check Your Next.js Version

npm list next

Step 2: Upgrade to Patched Version

Choose your release line:

# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

Step 3: If You're on Canary

# For 15.x canary
npm install next@15.6.0-canary.58

# For 16.x canary
npm install next@16.1.0-canary.12

# For 14.3.0-canary.77+, downgrade to stable:
npm install next@14

Step 4: Verify the Fix

npm list next react react-dom

Make sure:

- next is at a patched version (see table above)

- react is at 19.0.1, 19.1.2, or 19.2.1+

Step 5: Rebuild and Redeploy

npm run build
# Deploy to your hosting provider

Step 6: ROTATE YOUR SECRETS

This is critical. If your application was exposed before patching, attackers may have already extracted your environment variables. After deploying the patch:

1. Rotate all API keys

2. Rotate database credentials

3. Rotate JWT secrets

4. Rotate any third-party service tokens

5. Invalidate all active sessions

If your app was online and unpatched on December 4th, 2025 at 1:00 PM PT, secret rotation is strongly recommended.

Automated Fix Tool

Next.js provides an automated migration tool:

npx fix-react2shell-next

Using Other Frameworks?

React Router (unstable RSC APIs)

npm install react@latest react-dom@latest react-server-dom-parcel@latest react-server-dom-webpack@latest @vitejs/plugin-rsc@latest

Waku

npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest

Redwood SDK

npm install rwsdk@latest
npm install react@latest react-dom@latest react-server-dom-webpack@latest

@vitejs/plugin-rsc

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest

How the Vulnerability Works

React Server Functions allow clients to call functions on the server. The vulnerability exists in how React decodes payloads sent to these endpoints.

An attacker can craft a specially-formed HTTP request that, when deserialized by React's RSC protocol, tricks the server into executing arbitrary code. This is possible because untrusted inputs can influence server-side execution behavior.

The attack requires no authentication and works against any application using React Server Components — even those that don't explicitly define Server Functions.

Timeline

- November 29, 2025: Vulnerability reported to Meta Bug Bounty by Lachlan Davidson

- November 30, 2025: Meta security team confirmed and began working on fix

- December 1, 2025: Fix created; coordination with framework providers

- December 3, 2025: Fix published to npm; CVE disclosed publicly

Why This Is So Serious

1. CVSS 10.0 — Maximum severity score

2. No authentication required — Anyone can exploit it

3. Remote Code Execution — Attackers can run any code on your server

4. Broad impact — Affects anyone using RSC, even without explicit Server Functions

5. No workaround — You must upgrade; there's no configuration to disable the vulnerable code path

Quick Reference: Patched Versions

| Release Line | Patched Version |

|--------------|-----------------|

| 15.0.x | 15.0.5 |

| 15.1.x | 15.1.9 |

| 15.2.x | 15.2.6 |

| 15.3.x | 15.3.6 |

| 15.4.x | 15.4.8 |

| 15.5.x | 15.5.7 |

| 16.0.x | 16.0.7 |

| React | 19.0.1, 19.1.2, 19.2.1 |

Checklist

- [ ] Identified current Next.js/React version

- [ ] Upgraded to patched version

- [ ] Rebuilt application

- [ ] Redeployed to production

- [ ] Rotated all secrets and API keys

- [ ] Rotated database credentials

- [ ] Invalidated active sessions

- [ ] Notified team members

- [ ] Checked logs for suspicious activity before patch

Resources

- [React Official Disclosure](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)

- [Next.js CVE-2025-66478 Advisory](https://nextjs.org/blog/CVE-2025-66478)

- [CVE-2025-55182 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)

Don't wait. Patch now. Rotate secrets. This vulnerability is actively being scanned for in the wild.