CVE-2025-55182: Critical RCE Vulnerability in React Server Components

A critical Remote Code Execution vulnerability impacts React Server Components, specifically the react-server-dom-webpack package. Organizations using Next.js 15.x or 16.x with the App Router and Server Actions need to apply patches immediately.

What Is CVE-2025-55182?

This vulnerability allows unauthenticated attackers to execute arbitrary code on servers running vulnerable versions of React Server Components. The affected versions include 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack. The vulnerability impacts Next.js 15.x and 16.x applications using the App Router with Server Actions.

Root Cause: Missing hasOwnProperty Check

The vulnerability results from a missing hasOwnProperty check in the requireModule function within React’s server component handling code. The vulnerable code directly returns moduleExports[metadata[2]], permitting prototype chain access. This enables attackers to manipulate module resolution to load arbitrary Node.js built-in modules. Version 19.2.1 fixes this by implementing proper checks using hasOwnProperty.call().

How the Exploit Works

The attack follows these steps:

1. The attacker sends specially crafted multipart form data to a /formaction endpoint
2. The payload uses $ACTION_REF_0 to trigger bound action metadata parsing
3. It specifies vm#runInThisContext as the module/export to load
4. Malicious code passes as a bound argument
5. Upon action execution, runInThisContext(CODE) runs arbitrary code on the server

This represents a classic prototype pollution attack exploiting JavaScript’s prototype chain inheritance.

Can This Be Exploited Without Site Access?

Yes. Any unauthenticated external attacker can exploit this if the target runs a vulnerable react-server-dom-webpack version (19.0.0-19.2.0), the application uses Server Actions, and the endpoint is publicly accessible without authentication. This is a network-level attack requiring only a specially crafted HTTP POST request.

What Can an Attacker Do?

Full Remote Code Execution allows attackers to execute shell commands, read/write files and access sensitive configuration, pivot to other systems, exfiltrate data and access databases, install persistence mechanisms and create backdoors, and modify application behavior through code injection.

Mitigation: Patch Immediately

React Patched Versions: 19.0.1, 19.1.2, 19.2.1

Next.js Patched Versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Update immediately using your package manager of choice. If immediate upgrades aren’t possible, disable Server Actions temporarily, require authentication for all form action endpoints, and implement WAF rules filtering suspicious multipart form data with $ACTION_REF patterns.

Conclusion

This vulnerability represents one of the most critical issues discovered in the React ecosystem. The combination of unauthenticated access, remote code execution, and Next.js’s widespread adoption makes this a high-priority security issue. Development teams should update immediately to patched versions and review applications for signs of compromise.