A Critical Front-End Vulnerability Hits Hard
On December 4, 2025, developers worldwide woke up to a CVSS 10.0 full-score RCE vulnerability in React 19 / Next.js (CVE-2025-55182, Next.js CVE-2025-66478).
If Log4Shell was a nightmare for Java in 2021, this is the darkest hour for full-stack JavaScript.
This vulnerability allows attackers to execute arbitrary code on your server via a single HTTP request—no authentication required.
01 Understanding the Vulnerability: The Achilles’ Heel of RSC
Flight Protocol & Serialization
React Server Components (RSC) introduced the Flight protocol to stream component trees between server and client:
- Server → Client: Components are streamed in a JSON-like format.
- Client → Server: When Server Actions (e.g., form submissions) are triggered, the client serializes parameters back to the server.
Unsafe Deserialization
The core of the vulnerability lies in the react-server package and its adapters (e.g., react-server-dom-webpack):
- Cause: The server fails to safely validate the structure of deserialized objects.
- Attack vector: Maliciously crafted RSC payloads exploit the server’s deserialization logic.
- Trigger: When the server deserializes the payload, it executes arbitrary functions or instructions.
- Impact: Malicious JavaScript runs in the server process context, bypassing sandboxes.
This is a classic unsafe deserialization vulnerability, amplified by RSC’s flexibility for complex object passing.
02 Who Is at Risk?
Affected frameworks include all React RSC implementations:
- React versions: 19.0.0, 19.0.1, 19.1.x, 19.2.0
- Next.js (App Router): v15.0.0–v15.5.6, v16.0.0–v16.0.6, v14.3.0-canary.77+
- Other frameworks: Waku, RedwoodJS (RSC mode), and custom setups using react-server-dom-webpack/parcel.
Not affected: legacy Next.js using only Client Components (Pages Router).
Option 1: Upgrade Your Framework (Recommended)
Next.js users: Upgrade to the following patch versions or higher:
# Next.js v16
npm install next@16.0.7
# Next.js v15
npm install next@15.5.7
# or 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
# Next.js v14 Canary
# downgrade to stable v14 or upgrade to fixed v15
React native / custom integrations: Upgrade react, react-dom, and react-server-dom-* to the versions below:
npm install react@19.2.1 react-dom@19.2.1
Official patched versions: 19.0.1, 19.1.2, 19.2.1
Option 2: Mitigation Using WAF
If immediate code deployment isn’t possible (e.g., during a network freeze), use a Web Application Firewall (WAF).
Why WAF Matters for React RCE
Even if you patch this RCE, unknown vulnerabilities will always exist. A WAF like SafeLine provides:
- Defense against unknown threats: Detects abnormal payloads, serialized data, and suspicious patterns that traditional rules miss.
- Minimal false positives: Uses semantic analysis to distinguish malicious requests from normal traffic.
- Continuous protection: Updated in real-time as new attack techniques emerge.
SafeLine WAF ensures that your full-stack React/Next.js apps stay protected even when you don’t yet know the next attack vector.
04 Full-Stack Security Considerations
React’s move across client and server boundaries complicates security. With Server Actions, developers can write backend logic directly in components — but this exposes HTTP-accessible endpoints.
CVE-2025-55182 is a wake-up call: you can patch today’s RCE, but tomorrow’s unknown vulnerabilities demand proactive protection.
Key takeaway: Patch your frameworks and deploy a WAF like SafeLine to defend against both known and unknown threats.