CVE-2025-55182 is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability in React Server Components, affecting React versions 19.0 through 19.2.0. The flaw stems from unsafe deserialization of serialized payloads in the React Flight protocol, allowing attackers to trigger server-side code execution via crafted multipart requests. Next.js tracks the same exposure under CVE-2025-66478. Affected frameworks include Next.js, React Router (RSC mode), Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku. Applications can be vulnerable even without explicitly using Server Functions, since frameworks embed the RSC implementation by default. Fixes are available in React 19.0.1, 19.1.2, and 19.2.1, along with patched releases for all affected frameworks. Vercel has added request-layer mitigations but these do not fully remediate the issue.
Table of contents
Key TakeawaysTLDR: See How You Are AffectedRemediation StepsBackgroundDeep DiveProof of Concept (Credit to @maple3142 )Scan Your Codebase NowReferencesSort: