Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
React Server Components(RSC)被曝出最高级别安全漏洞(CVE-2025-55182),CVSS评分10.0。该漏洞允许未经身份验证的攻击者通过恶意HTTP请求实现远程代码执行。影响版本包括react-server-dom-webpack、react-server-dom-parcel、react-server-dom-turbopack等npm包的多个版本以及Next.js App Router。已发布修复版本。 2025-12-3 18:19:0 Author: thehackernews.com(查看原文) 阅读量:0 收藏

Vulnerability / Cloud Security

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.

It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in an alert issued today.

"Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components."

According to cloud security firm Wiz, the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.

Cybersecurity

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages -

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson has been credited with discovering and reporting the flaw on November 29, 2025.

It's worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.

That said, any library that bundles RSC is likely to be affected by the flaw. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.

Wiz said 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. In light of the severity of the vulnerability, it's advised that users apply the fixes as soon as possible for optimal protection.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


文章来源: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
如有侵权请联系:admin#unsafe.sh