CVE-2025-55182: Critical RCE Vulnerability in React Server Components

A critical Remote Code Execution (RCE) vulnerability has been discovered affecting React Server Components, specifically the react-server-dom-webpack package. If your organization uses Next.js 15.x or 16.x with the App Router and Server Actions, you need to patch immediately.

What Is CVE-2025-55182?

CVE-2025-55182 is a Remote Code Execution vulnerability that allows unauthenticated attackers to execute arbitrary code on servers running vulnerable versions of React Server Components. The vulnerability exists in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the react-server-dom-webpack package.

This affects Next.js 15.x and 16.x applications that use the App Router with Server Actions enabled.

Root Cause: Missing hasOwnProperty Check

The vulnerability stems from a missing hasOwnProperty check in the requireModule function within React’s server component handling code.

The vulnerable code directly returns moduleExports[metadata[2]], which allows prototype chain access. This means an attacker can manipulate the module resolution process to load arbitrary Node.js built-in modules.

The fix in version 19.2.1 adds a proper check using hasOwnProperty.call() to prevent prototype chain traversal.

How the Exploit Works

The attack vector is surprisingly straightforward:

1. Crafted Payload: The attacker sends specially crafted multipart form data to a /formaction endpoint (or similar RSC action handling endpoint)
2. Trigger Mechanism: The payload uses $ACTION_REF_0 to trigger bound action metadata parsing
3. Module Hijacking: It specifies vm#runInThisContext as the module/export to load
4. Code Execution: Malicious code is passed as a bound argument
5. Result: When the action executes, runInThisContext(CODE) runs arbitrary code on the server

This is a classic prototype pollution attack that exploits JavaScript’s prototype chain inheritance to access functionality that should be restricted.

Can This Be Exploited Without Access to the Site?

Yes. This is exploitable by any unauthenticated external attacker if the following conditions are met:

• The target uses a vulnerable version of react-server-dom-webpack (19.0.0–19.2.0)
• The application uses Server Actions (the /formaction endpoint or similar RSC action handling)
• The endpoint is publicly accessible (no authentication required to submit form actions)

This is a network-level attack. An attacker only needs to send a specially crafted HTTP POST request to the vulnerable endpoint. No prior authentication, session, or internal access is required. Eeek!

What Can an Attacker Do?

Once exploited, attackers achieve full Remote Code Execution on the server. This means they can:

• Execute shell commands: Run commands like id, whoami, or more dangerous operations
• Read/write files: Access sensitive configuration files, environment variables, and credentials
• Pivot to other systems: Use the compromised server as a launching point for lateral movement
• Exfiltrate data: Access databases, user data, and proprietary information
• Install persistence: Create backdoors for continued access
• Modify application behavior: Inject malicious code into the application

The severity of this vulnerability cannot be overstated. Full RCE is the most critical type of vulnerability because it gives attackers complete control over the affected server.

Affected Versions

React (react-server-dom-webpack)

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

Next.js

• 15.0.0 through 15.0.4
• 15.1.0 through 15.1.8
• 15.2.0 through 15.2.5
• 15.3.0 through 15.3.5
• 15.4.0 through 15.4.7
• 15.5.0 through 15.5.6
• 16.0.0 through 16.0.6

Mitigation: Patch Immediately

Upgrade to the fixed versions as soon as possible:

React Patched Versions

• 19.0.1
• 19.1.2
• 19.2.1

Next.js Patched Versions

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

How to Update

For npm:

npm update react react-dom react-server-dom-webpack
npm update next

For yarn:

yarn upgrade react react-dom react-server-dom-webpack
yarn upgrade next

For pnpm:

pnpm update react react-dom react-server-dom-webpack
pnpm update next

After updating, verify your versions:

npm list react react-dom react-server-dom-webpack next

Temporary Mitigations

If you cannot immediately upgrade, consider these temporary mitigations:

1. Disable Server Actions: If possible, disable Server Actions until you can patch
2. Add authentication: Require authentication for all form action endpoints
3. WAF rules: Implement Web Application Firewall rules to filter suspicious multipart form data containing $ACTION_REF patterns
4. Network isolation: Limit network access to your application while patching

Note: These are temporary measures only. The only true fix is upgrading to a patched version.

How to Check If You’re Vulnerable

1. Check your package.json or package-lock.json for react-server-dom-webpack versions
2. Verify your Next.js version
3. Determine if your application uses Server Actions (look for "use server" directives)

If you’re using Server Actions with any of the affected versions, you are vulnerable and should patch immediately.

Conclusion

CVE-2025-55182 represents one of the most critical vulnerabilities discovered in the React ecosystem. The combination of unauthenticated access, remote code execution, and the widespread adoption of Next.js makes this a high-priority security issue.

If you’re running a Next.js 15.x or 16.x application with Server Actions, stop reading and patch now.

At Fruition, we take security seriously and encourage all development teams to:

1. Update immediately to patched versions
2. Review your application for any signs of compromise
3. Implement security monitoring for suspicious activity
4. Consider a security audit if you suspect exploitation

For questions about securing your web applications or assistance with security assessments, contact our team.

References

• GitHub Advisory for CVE-2025-55182
• Next.js Security Releases
• React Security Updates