Latest Alert: React Server Components RCE
Faculty Portal Research Labs
NSUSECURITY Subscribe Updates
CYBERSECURITY ALERT

Critical Security Alert: Inside the React Server Components RCE (CVE-2025-55182)

Dec 5, 2025 | OffSec Team CVSS 10.0 CRITICAL

React Server Components (RSC) have fundamentally changed how we approach server-side rendering, allowing us to offload heavy data processing to the backend. However, as with any technology that blurs the line between client and server, the attack surface changes.

On December 3rd, the React team disclosed CVE-2025-55182, a maximum-severity Remote Code Execution (RCE) vulnerability. This flaw allows attackers to execute arbitrary code on the server without authentication, user interaction, or specialized access credentials.

Here is what you need to know about the vulnerability and how to secure your infrastructure.

The Core Mechanism: Unsafe Deserialization

The vulnerability resides in the "Flight" protocol—the communication standard React uses to transport data between the server and the client.

In affected versions, the server-side parsing logic is overly trusting. When a client requests data, the server attempts to deserialize the incoming payload without validating its structure or origin. This creates a classic unsafe deserialization vulnerability.

Under normal circumstances, React uses internal objects known as "Chunks" which are resolved as JavaScript Promises. The flaw allows an attacker to inject a crafted JSON object that mimics a Chunk. Because the server fails to validate this input, it accepts the fake object and attempts to "resolve" it.

How the Exploit Works

Security researchers have discovered that by defining a custom then method within this fake Chunk, they can hijack React’s internal promise resolution logic.

  • Injection: The attacker sends a malicious Flight payload via a standard HTTP POST request.
  • Hijacking: React deserializes the payload and triggers the attacker-controlled then method.
  • Escalation: This method grants access to React's internal request state (specifically the _response object).
  • Execution: By manipulating this state, the attacker can redirect execution flow to internal gadgets—such as Node.js child_process—effectively allowing them to run shell commands on the host server.
// Conceptual Example of the Payload Structure { "then": "$1:__proto__:then", "status": "resolved_model", "value": { "then": "$B1337" }, "_response": { "_prefix": "process.mainModule.require('child_process').execSync('touch /tmp/rce_poc');" } }

Immediate Remediation

Because the exploit requires zero authentication and public Proof-of-Concept (PoC) code is already circulating, this vulnerability should be treated as an immediate incident-response priority.

Action Items
  • Patch Immediately: Upgrade to the latest patched versions of React released by the maintenance team.
  • Audit Dependencies: Check your package-lock.json or yarn.lock files. Even if you don't install RSC packages directly, your meta-framework (like Next.js) might be pulling them in.
  • WAF Mitigation: If you cannot patch immediately, ensure your Web Application Firewall is configured to inspect and block suspicious Flight protocol payloads.

The React team reacted swiftly with a fix, but the window of exposure for unpatched systems remains open. Upgrade your deployments today to prevent unauthorized server compromise.