Critical RCE in React Server Components CVE-2025-55182 and CVE-2025-66478: What It Means for Security Teams

Ilan Kalendarov, Security Research Team Lead
Ben Zamir, Security Researcher

What was discovered? 

A critical un-authentication remote code execution (RCE) vulnerability has been disclosed in React Server Components (RSC), tracked as CVE-2025-55182 (and related CVE-2025-66478 in next.js which is built on React).  

In short: a specially crafted HTTP request targeting the vulnerable RSC “Flight” component can lead to full server-side code execution, with no authentication required.  

Who is affected? 

• Any application using React 19 (versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0) with server components enabled is vulnerable.  
• Next.js that’s built atop React RSC, is also impacted. Affected versions are: Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) 
• Beyond React and Next.js, any tooling, bundler or plugin that bundles the vulnerable react-server-dom-* modules may also be at risk. 
• Given the ubiquity of React and the popularity of Next.js-powered applications, this potentially affects a huge chunk of web-facing services, dashboards and cloud-hosted web applications worldwide, regardless of industry or geography.  

What’s the potential impact? 

• Full Server Takeover: The vulnerability allows unauthenticated remote code execution on the affected application’s server. This can provide an immediate external foothold and result in complete system compromise. 
• Ease of Exploitation + No Prerequisites: Because exploiting requires only a crafted HTTP request, no authentication, no special privileges and default configurations are already vulnerable, the attack surface is very large.  
• Data Exposure, Secret Leakage, Service Disruption: Any sensitive data stored or processed on the server (user data, credentials, tokens, configuration files) can be compromised. Attackers can modify data, exfiltrate secrets or disrupt service availability.  

How we test: Cymulate templates & attack scenarios 

To help security teams validate whether their environments are exposed, Cymulate released three new attack scenarios and two new attack templates in Cymulate Exposure Validation. 

On Dec. 4, 2025, we released the first attack scenario React2Shell Scanner (CVE-2025-55182 & CVE-2025-66478) to test and validate threat detection in SIEM and endpoint security. 

Because of the substantial risks associated with exploitation, Cymulate has released a standalone React2Shell-Scanner tool for any security team to test and validate their security controls’ ability to detect an attack that exploits these vulnerabilities.  

This is a non-intrusive scanner targeting CVE-2025-55182 (and CVE-2025-66478) that sends benign, harmless payloads, triggering the vulnerable deserialization logic but not executing malicious code and then analyzes server responses to detect if the server exhibits the characteristic error patterns of an unpatched RSC implementation.  

In practical terms, this means you can proactively test your public-facing (or internal) React/Next.js servers to assess exposure, without minimal risk. 

When manually inspecting React or Next.js versions, the caret (^) before a version number indicates that the minimum version is set, but the package manager is allowed to automatically install newer minor and patch versions within the same major release.  

For instance, "react": "^19.0.0" ensures the version won’t fall below 19.0.0, but it may install 19.0.1 or later compatible 19.x.x releases during deployment or reinstallation. This means a project may already be using a patched version, even if the baseline manifest looks vulnerable. As a result, teams must confirm the actual installed version (via lock files or dependency audits). 

On Dec. 8, 2025, we released attack scenario CVE-2025-55182/CVE-2025-66478 - React RSC Flight deserialization to test and validate WAF protection and alerting with attack simulations based on RSC Flight deserialization requests that contains the prototype-pollution and JavaScript-injection. 

After observing threat actors exploit this vulnerability, we published new IOC-based attack scenarios in the threat feed to test and validate endpoint security and perimeter defenses on Dec. 9.

With these new attack scenarios, we published two new exposure validation templates that apply these attack scenarios in advanced campaigns that exploit the vulnerability and mimic advanced tactics utilized by groups like UNC5174, North Korean and Chinese actors as well as others engaged in ransomware, espionage or cryptojacking campaigns. 

You can find these new exposure validation templates under “advanced attacks (APT & TA)” with the names: 

• React Server Components Exploitation Simulation 
• React2Shell RCE Simulation 

Free tool for every security team to validate the threat 

Because of the substantial risks associated with exploitation, Cymulate has released a standalone React2Shell-Scanner tool for any security team to test and validate their security controls’ ability to detect an attack that exploits these vulnerabilities.   

This is a non-intrusive scanner targeting CVE-2025-55182 (and CVE-2025-66478) that sends benign, harmless payloads, triggering the vulnerable deserialization logic but not executing malicious code and then analyzes server responses to detect if the server exhibits the characteristic error patterns of an unpatched RSC implementation.   

Recommended immediate actions 

1. Evaluate server applications using the affected components. Manually inspect configurations and installed versions. 
2. Prioritize patching: upgrade all react-server-dom-* packages to 19.0.1, 19.1.2, or 19.2.1 and ensure any Next.js instances are updated to patched releases.  
3. Use NPM audit to check components for known vulnerabilities. 
4. Audit all dependencies: check for any frameworks, plugins or libraries that embed vulnerable RSC modules.  
5. Incorporate simulation of this vulnerability into your annual or quarterly BAS/red-team exercises, to test detection, response and containment capabilities in case of a real exploit.