Critical CVE-2025-55182: Pre-Auth RCE in React Server Components Threatens Millions of Websites
A critical CVSS 10.0 vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code on servers via a single HTTP request, with active exploitation already observed.
A critical remote code execution vulnerability, CVE-2025-55182, has been disclosed in React Server Components, the backbone of modern web frameworks including React.js and Next.js. With a CVSS score of 10.0, the flaw requires no authentication and can be triggered by a single maliciously crafted HTTP POST request to any Server Function endpoint. Facebook's security team disclosed the vulnerability on December 3, 2025, and Trend Micro researchers have confirmed active exploitation attempts in the wild, particularly targeting financial services, technology, and e-commerce sectors.
The vulnerability resides in the core payload decoding mechanism of React Server Components. When the server processes incoming HTTP requests to invoke server-side functions, it deserializes payload data without adequate security controls. This deserialization flaw allows an attacker to inject arbitrary code that executes with the privileges of the server process. The affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across versions 19.0.0 through 19.2.0. Major frameworks built on React Server Components are also impacted, including Next.js (versions 15.x and 16.x), React Router with RSC APIs, Expo, Redwood SDK, Waku, and various Vite and Parcel plugins.
The potential impact of CVE-2025-55182 is severe. Attackers can achieve full infrastructure compromise, gaining remote access with server process privileges that enable filesystem access, credential harvesting, and installation of persistent backdoors. Data exfiltration of customer databases, API keys, and intellectual property is a direct consequence. Compromised React servers can also serve as pivot points for lateral movement into internal networks, databases, and cloud resources. Given that React powers over 40% of the top 10,000 websites, the attack surface is enormous.
Trend Micro's threat response teams have observed active exploitation attempts aligned with publicly available proof-of-concept code circulating in the security community. These attacks have been detected across multiple sectors, with organizations in financial services, technology, and e-commerce receiving targeted reconnaissance and exploitation attempts. Trend Micro has developed detection signatures and is actively hunting for valid exploitation attempts exploiting CVE-2025-55182.
Immediate remediation is critical. Organizations should patch to React 19.0.1+, 19.1.2+, or 19.2.1+ and Next.js 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+. If patching is not immediately feasible, compensating controls include deploying WAF rules to block suspicious serialization patterns, implementing strict network egress controls to prevent reverse shells, and enabling comprehensive logging on all Server Function invocations. Long-term security posture improvements include running Node.js processes with minimal privileges, container isolation with restricted capabilities, and deploying runtime application self-protection (RASP) solutions.
This vulnerability underscores the growing risk surface in modern JavaScript frameworks that handle server-side rendering and server components. As frameworks like React and Next.js become ubiquitous in enterprise applications, the security of their core deserialization mechanisms becomes paramount. The combination of pre-authentication access, maximum CVSS severity, and active exploitation makes CVE-2025-55182 one of the most critical web framework vulnerabilities disclosed in recent years. Security teams should treat this as an emergency and prioritize patching across all affected deployments.