Security Advisory: CVE-2025-55182 (CVSS 10) – Critical Security Vulnerability in React Server Components

Estimated reading time: 12 minutes

Key Takeaways:

  • A critical RCE vulnerability (CVE-2025-55182) affects React Server Components.
  • The vulnerability allows unauthenticated remote code execution.
  • Immediate patching and code review are crucial for mitigation.
  • SBOM utilization and vulnerability scanning enhance security posture.
  • PurpleOps services can help proactively identify and mitigate risks.

Table of Contents:

The React team has disclosed a critical security flaw identified as CVE-2025-55182, impacting React Server Components (RSC). This vulnerability enables unauthenticated remote code execution (RCE) through specifically crafted HTTP requests. This post analyzes the vulnerability, its impact, and mitigation strategies, relating it to aspects of cyber threat intelligence and supply chain risk monitoring.

Critical Security Vulnerability in React Server Components

A significant security vulnerability, CVE-2025-55182, has been identified in React Server Components (RSC), posing a substantial risk to applications utilizing the affected versions. This vulnerability allows for remote code execution without authentication, which requires immediate attention and remediation. The Common Vulnerability Scoring System (CVSS) score for CVE-2025-55182 is a maximum 10, indicating its critical severity.

Summary

The vulnerability resides in React Server Components and arises from the unsafe deserialization of payloads transmitted through HTTP requests to React Server Function endpoints. The React team publicly disclosed this issue on December 3, 2025, urging developers to promptly update affected component packages and any frameworks incorporating them. The core issue allows attackers to execute arbitrary code remotely by exploiting how React handles incoming HTTP requests.

Technical Details

CVE-2025-55182 stems from the insecure deserialization of data received through HTTP requests targeting React Server Function endpoints. React Server Functions facilitate client-side calls to server-side functions, with React managing the translation of these client requests into HTTP requests. The server then interprets these requests, converting them into function calls.

The core of the vulnerability lies in how React handles the requireModule function, particularly how it accesses object properties based on user-supplied data without proper validation. An attacker can manipulate metadata[NAME] to target internal object properties like __proto__, leading to prototype pollution and, ultimately, arbitrary code execution.

An example payload to exploit this vulnerability looks like this:

{
  "$ACTION_REF_0": "",
  "$ACTION_0:0": "{\"id\": \"vm#runInThisContext\", \"bound\": [\"console.log(\'Hello World\')\"]}"
}

This payload leverages the vm.runInThisContext Node.js module to execute arbitrary code on the server.

The patch for this vulnerability introduces a check using hasOwnProperty to ensure that metadata[NAME] refers to a valid property of the moduleExports object, preventing access to inherited prototype properties. This mitigation directly addresses the prototype pollution issue.

Affected Products

The vulnerability impacts the following React Server Components packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Furthermore, any framework or tool that integrates React Server Components using these vulnerable packages is also at risk. Confirmed affected components include:

  • Next.js App Router (multiple versions) – Vulnerability tracked as CVE-2025-66478
  • RSC plugin for Vite
  • RSC plugin for Parcel
  • React Router’s unstable RSC APIs
  • Redwood SDK
  • Waku
  • Any third-party project bundling vulnerable react-server-dom-* packages

Recommendations

Immediate action is required to mitigate the risks associated with CVE-2025-55182. The primary recommendation is to update the affected React Server Components packages to a fixed version (19.0.1, 19.1.2, or 19.2.1) as soon as possible.

For those using Next.js, upgrading to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 is crucial.

Practical Takeaways and Actionable Advice

Technical Readers:

  1. Immediate Patching: Prioritize updating React Server Components packages to the fixed versions (19.0.1, 19.1.2, or 19.2.1). For Next.js users, upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.
  2. Code Review: Inspect your codebase for instances of requireModule and ensure proper validation of user-supplied data to prevent similar vulnerabilities.
  3. SBOM Utilization: Implement Software Bill of Materials (SBOM) to maintain an inventory of software components and dependencies. Use tools like SafeDep or other open-source options to generate and query SBOMs.
  4. Vulnerability Scanning: Integrate vulnerability scanning into your CI/CD pipeline to detect and address vulnerabilities early in the development lifecycle.

Non-Technical Readers:

  1. Awareness: Understand the importance of keeping software components up to date and the potential risks associated with vulnerabilities.
  2. Communication: Ensure that your technical teams are aware of CVE-2025-55182 and are taking appropriate steps to mitigate the risks.
  3. Verification: Verify that your organization is using the latest versions of React Server Components and Next.js, and that patches have been applied.
  4. Risk Assessment: Conduct a risk assessment to identify and prioritize critical systems and applications that may be vulnerable to CVE-2025-55182.
  5. Incident Response Plan: Prepare an incident response plan to effectively respond to potential security incidents related to CVE-2025-55182.

Relevance to PurpleOps Services

This vulnerability underscores the importance of several cybersecurity services offered by PurpleOps:

  • Cyber Threat Intelligence Platform: PurpleOps’ cyber threat intelligence platform provides real-time insights into emerging threats, including vulnerabilities like CVE-2025-55182. This allows organizations to proactively identify and mitigate risks before they can be exploited.
  • Supply Chain Risk Monitoring: The vulnerability highlights the need for supply chain risk monitoring. PurpleOps offers services to monitor third-party components and dependencies for known vulnerabilities, ensuring that organizations are aware of potential risks in their software supply chain.
  • Breach Detection: Should an attacker successfully exploit CVE-2025-55182, PurpleOps’ breach detection services can help identify and contain the intrusion. These services use advanced analytics and threat intelligence to detect suspicious activity and prevent further damage.
  • Real-time Ransomware Intelligence: Exploitation of vulnerabilities like CVE-2025-55182 can often be a precursor to ransomware attacks. Real-time ransomware intelligence helps in identifying and blocking ransomware threats before they can encrypt critical data.

PurpleOps’ expertise in these areas can help organizations effectively manage and mitigate the risks associated with vulnerabilities like CVE-2025-55182, strengthening their overall security posture. PurpleOps also provides services such as penetration testing and red team operations that can simulate real-world attacks and identify vulnerabilities before they can be exploited by malicious actors.

SBOM-Driven Identification

Security teams benefit significantly from maintaining a Software Bill of Materials (SBOM) for their applications. SBOMs provide a standardized, machine-readable format for inventorying software components, their metadata, and dependencies.

Developer reviewing React vulnerability alert on server screen

Maintaining up-to-date SBOMs as part of the software development lifecycle is crucial for:

  • Identifying vulnerable applications.
  • Pinpointing vulnerable versions of Next.js and React Server Components.
  • Locating the exact point in the code where a vulnerability was introduced and remediated.

SBOMs provide a clear view of the software supply chain, allowing security teams to quickly identify and address vulnerabilities.

Using SafeDep for SBOM Generation and Query

SafeDep is a tool that aids in generating and maintaining SBOMs continuously as part of the software development lifecycle. It provides options such as:

  • Using SafeDep’s open-source tools for SBOM generation and query.
  • Using SafeDep Cloud (SaaS) for continuous SBOM generation and query.

SafeDep Open Source Tools

SafeDep vet can generate SBOMs from source code, export them in a queryable format, and query them for vulnerabilities and compliance. To scan a GitHub organization and identify repositories vulnerable to CVE-2025-55182 and CVE-2025-66478, follow these steps:

  1. Install vet in your system.
  2. Generate a read-only GitHub Personal Access Token.
  3. Run vet to scan your GitHub organization and generate the report as an SQLite3 database:
vet scan --github-org <your_github_org> --report-sqlite3 /tmp/gh-org-vet.db
  1. Run a query to identify repositories vulnerable to CVE-2025-55182 and CVE-2025-66478:
SELECT
  p.name,
  m.namespace AS repository,
  p.version,
  p.is_direct,
  m.display_path AS manifest
FROM report_packages p
JOIN report_package_manifest_packages mp ON p.id = mp.report_package_id
JOIN report_package_manifests m ON mp.report_package_manifest_id = m.id
WHERE p.ecosystem = 'npm'
  AND p.name IN ('next', 'react')
  AND p.version IN ('19.0.0', '19.1.0', '19.1.1', '19.2.0', '15.0.4', '16.0.6')
ORDER BY p.name, m.namespace, p.version;

SafeDep Cloud

  1. Log in to SafeDep Cloud.
  2. Navigate to the Query tab.
  3. Execute the following SQL query:
SELECT projects.name,
  projects.version,
  packages.name,
  packages.version
FROM projects
WHERE packages.name = 'react' and packages.version = '19.2.0'

Mitigating Future Risks

Addressing CVE-2025-55182 involves more than just patching. It requires a comprehensive approach to security, including:

  • Regular Security Audits: Conduct regular security audits to identify vulnerabilities and weaknesses in your applications.
  • Secure Coding Practices: Implement secure coding practices to prevent vulnerabilities from being introduced in the first place.
  • Continuous Monitoring: Continuously monitor your systems for suspicious activity and potential intrusions.
  • Incident Response Planning: Develop and regularly test an incident response plan to effectively respond to security incidents.

By taking these steps, organizations can reduce their risk of being affected by similar vulnerabilities in the future.

References

FAQ

Q: What is CVE-2025-55182?
A: CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components.

Q: Which React versions are affected?
A: React Server Components packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are affected.

Q: How can I mitigate this vulnerability?
A: Update the affected React Server Components packages to a fixed version (19.0.1, 19.1.2, or 19.2.1).

Q: Is Next.js affected?
A: Yes, Next.js App Router is affected. Upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.

Q: What is an SBOM and how does it help?
A: An SBOM (Software Bill of Materials) is a list of all components in a software application. It helps in identifying and managing vulnerabilities.

Stay Protected with PurpleOps

Understanding and mitigating vulnerabilities like CVE-2025-55182 is crucial for maintaining a strong security posture. PurpleOps offers a range of services to help organizations stay protected against emerging threats. Explore our platform at https://www.purple-ops.io/platform/ to learn more about our real-time threat intelligence and supply chain risk monitoring capabilities. Contact us through https://www.purple-ops.io/services/ for a consultation on how we can help you secure your applications. Learn more about our Red Team Operations at https://www.purple-ops.io/red-team-operations, Penetration Testing at https://www.purple-ops.io/penetration-testing, Supply Chain Information Security at https://www.purple-ops.io/supply-chain-information-security, Ransomware Protection at https://www.purple-ops.io/protect-ransomware, Dark Web Monitoring at https://www.purple-ops.io/dark-web-monitoring and Cyber Threat Intelligence at https://www.purple-ops.io/cyber-threat-intelligence.