🚨 CRITICAL RCE ALERT: Immediate Patch Required for React Server Components (CVE-2025-55182)
CVSS Score 10.0: Unauthenticated Remote Code Execution Threat in React 19 Ecosystem.
A fundamental and severe security vulnerability, tracked as CVE-2025-55182 (also dubbed "React2Shell"), has been discovered in the core architecture of React Server Components (RSC). This flaw allows an unauthenticated, remote attacker to execute arbitrary code on your server.
At SiTechra, we urge all teams utilizing RSC—including those on Next.js App Router—to cease development and prioritize patching immediately.
1. The Threat: Unsafe Deserialization in RSC
The vulnerability lies in how React handles the Flight protocol, the mechanism used to send data between the client and the server.
- The Exploit: An attacker can craft a malicious HTTP request that exploits a flaw in how React decodes payloads (unsafe deserialization).
- The Consequence: When the server processes this malformed payload, it is tricked into executing unauthorized code, granting the attacker Remote Code Execution (RCE) privileges.
- Criticality: This is an unauthenticated attack. The attacker needs no credentials to compromise your server.
2. Who is Affected?
This is not a framework-specific issue; it resides in the core React packages. If your app supports React Server Components, you are likely vulnerable, even if you don't use Server Functions explicitly.
Vulnerable Packages (Versions 19.0 - 19.2.0):
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Affected Frameworks: Next.js (App Router), Waku, Redwood SDK, and others relying on these packages.
3. Immediate Remediation
The fix has been released in patched versions. Upgrading immediately is the only complete mitigation.
| Affected Version | Patch Version |
|---|---|
| 19.0.x | 19.0.1 |
| 19.1.x | 19.1.2 |
| 19.2.x | 19.2.1 |
Next.js Upgrade Guide (Highest Priority)
Next.js users must upgrade to the latest patched version in their active release line:
# Recommended for Next.js 15.x users:
npm install next@latest
# Manual upgrades for specific lines:
npm install next@15.0.5
npm install next@15.1.9
npm install next@16.0.7
Note: If you are using Next.js 14.3.0-canary, downgrade to the latest stable 14.x release.
4. Hosting Provider Warning
Major hosting platforms (like Vercel and AWS) have deployed temporary WAF rules. Do not rely on these. They are short-term buffers. A full software patch is the only permanent solution.
The complexity of modern JavaScript ecosystems means that one critical flaw can affect your entire infrastructure. If you need help auditing your architecture or securing your Enterprise Software, do not hesitate to reach out.
Secure your infrastructure today.