React Server Components (RSC) in React 19.x suffer from insecure deserialization in the “Flight” protocol, allowing attackers to send crafted HTTP requests to Server Function endpoints for arbitrary code execution without authentication.
The flaw affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0 through 19.2.0.
Frameworks like Next.js (versions 15.x, 16.x with App Router, and certain 14.x canaries), React Router RSC preview, Waku, Vite RSC plugin, Parcel RSC plugin, and RedwoodSDK also embed these vulnerable packages, amplifying exposure.
Pure client-side React apps remain safe, but server-side apps supporting RSC even without explicit Server Functions are at risk.
Censys reports 2.15 million potentially affected internet-facing services identified via headers like “Content-Type: text/x-component”, “Vary: RSC”, Next.js software fingerprints, and specific body tags or favicons.
Shadowserver scans detected around 29,000 vulnerable IPs as of December 7, down from over 77,000 initially.
| Field | Description |
|---|---|
| CVE-ID | CVE-2025-55182 (CVSS 10.0) |
| Affected Versions | react-server-dom-* 19.0.0-19.2.0; Next.js 15.x/16.x |
| Disclosure Date | December 3, 2025 |
| Exploitation | Active by China-nexus groups (Earth Lamia, Jackpot Panda) |
| Patch Status | React 19.0.1+; Next.js 15.0.5/15.1.9/etc. |
Within 24 hours of disclosure, China-aligned actors began targeting cloud-hosted apps, deploying web shells and backdoors; CISA added it to its Known Exploited Vulnerabilities catalog on December 5.
GreyNoise observed opportunistic automated scans using public PoCs, often with AMSI bypasses and secondary payloads. AWS WAF and Cloudflare rules offer partial protection but can be bypassed; patching is essential.
Upgrade React to 19.0.1, 19.1.2, or 19.2.1 via npm install react@latest react-server-dom-*. For Next.js, use commands like npm install next@15.0.5 (per release line) then scan for exposures with Censys queries for RSC headers or Next.js signatures.
Organizations should review logs for POST requests with “next-action” or “rsc-action-id” headers, as well as for IOCs such as writes to/tmp/pwned.txt. Prompt updates mitigate this widespread threat across millions of services.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…