Critical RCE in React Server Components CVE-2025-55182 and CVE-2025-66478: What It Means for Security Teams

Ilan Kalendarov, Security Research Team Lead
Ben Zamir, Security Researcher

What was discovered? 

A critical un-authentication remote code execution (RCE) vulnerability has been disclosed in React Server Components (RSC), tracked as CVE-2025-55182 (and related CVE-2025-66478 in next.js which is built on React).  

In short: a specially crafted HTTP request targeting the vulnerable RSC “Flight” component can lead to full server-side code execution, with no authentication required.  

Who is affected? 

• Any application using React 19 (versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0) with server components enabled is vulnerable.  
• Next.js that’s built atop React RSC, is also impacted. Affected versions are: Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) 
• Beyond React and Next.js, any tooling, bundler or plugin that bundles the vulnerable react-server-dom-* modules may also be at risk. 
• Given the ubiquity of React and the popularity of Next.js-powered applications, this potentially affects a huge chunk of web-facing services, dashboards and cloud-hosted web applications worldwide, regardless of industry or geography.  

What’s the potential impact? 

• Full Server Takeover: The vulnerability allows unauthenticated remote code execution on the affected application’s server. This can provide an immediate external foothold and result in complete system compromise. 
• Ease of Exploitation + No Prerequisites: Because exploiting requires only a crafted HTTP request, no authentication, no special privileges and default configurations are already vulnerable, the attack surface is very large.  
• Data Exposure, Secret Leakage, Service Disruption: Any sensitive data stored or processed on the server (user data, credentials, tokens, configuration files) can be compromised. Attackers can modify data, exfiltrate secrets or disrupt service availability.  

How we can test: The Cymulate Template & Active Scenario 

To help security teams validate whether their environments are exposed, Cymulate released a new detection scenario: React2Shell Scanner (CVE-2025-55182 & CVE-2025-66478)

Because of the substantial risks associated with exploitation, Cymulate has released a standalone React2Shell-Scanner tool for any security team to test and validate their security controls’ ability to detect an attack that exploits these vulnerabilities.  

This is a non-intrusive scanner targeting CVE-2025-55182 (and CVE-2025-66478) that sends benign, harmless payloads, triggering the vulnerable deserialization logic but not executing malicious code and then analyzes server responses to detect if the server exhibits the characteristic error patterns of an unpatched RSC implementation.  

In practical terms, this means you can proactively test your public-facing (or internal) React/Next.js servers to assess exposure, without minimal risk. 

When manually inspecting React or Next.js versions, the caret (^) before a version number indicates that the minimum version is set, but the package manager is allowed to automatically install newer minor and patch versions within the same major release.  

For instance, "react": "^19.0.0" ensures the version won’t fall below 19.0.0, but it may install 19.0.1 or later compatible 19.x.x releases during deployment or reinstallation. This means a project may already be using a patched version, even if the baseline manifest looks vulnerable. As a result, teams must confirm the actual installed version (via lock files or dependency audits). 

Recommended immediate actions 

1. Evaluate server applications using the affected components. Manually inspect configurations and installed versions. 
2. Prioritize patching: upgrade all react-server-dom-* packages to 19.0.1, 19.1.2, or 19.2.1 and ensure any Next.js instances are updated to patched releases.  
3. Use NPM audit to check components for known vulnerabilities. 
4. Audit all dependencies: check for any frameworks, plugins or libraries that embed vulnerable RSC modules.  
5. Incorporate simulation of this vulnerability into your annual or quarterly BAS/red-team exercises, to test detection, response and containment capabilities in case of a real exploit.