→

CVE-2025-55182: React Server Components are Vulnerable to RCE

Impact

There is an unauthenticated remote code execution vulnerability in React Server Components.

We recommend upgrading immediately.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

Patches

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-55182

CVE-2025-55182:

10

CVSS Score

3.1

-

CVSS Score

-

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-server-dom-webpack	npm	= 19.0	19.0.1
react-server-dom-webpack	npm	>= 19.1.0, < 19.1.2	19.1.2
react-server-dom-webpack	npm	= 19.2.0	19.2.1
react-server-dom-turbopack	npm	= 19.0	19.0.1
react-server-dom-turbopack	npm	>= 19.1.0, < 19.1.2	19.1.2
react-server-dom-turbopack	npm	= 19.2.0	19.2.1
react-server-dom-parcel	npm	= 19.0	19.0.1
react-server-dom-parcel	npm	>= 19.1.0, < 19.1.2	19.1.2
react-server-dom-parcel	npm	= 19.2.0	19.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Remote Code Execution (RCE) in React Server Components, caused by insecure deserialization of data sent from the client to the server. An attacker can craft a malicious request to a server action endpoint.

The server-side code uses a function, decodeReplyFromBusboy, to parse this request. The core of the vulnerability lies in the ReactFlightReplyServer.js file, which contains the logic for deserializing the client's request and executing server-side functions.

The reviveModel function recursively reconstructs JavaScript objects from the parsed JSON payload. The original implementation was vulnerable to prototype pollution, allowing an attacker to inject a __proto__ key in the payload to modify Object.prototype.

This prototype pollution is then leveraged by loadServerReference, which is responsible for loading and executing the server function requested by the client. This function uses requireModule to load the function's code. The requireModule function was also vulnerable, as it accessed properties on a module object without checking if they were its own properties. An attacker could exploit the polluted prototype to make requireModule execute arbitrary code.

The patch addresses these issues by:

Adding hasOwnProperty checks in requireModule to prevent prototype pollution.
Refactoring the entire promise and object resolution logic in ReactFlightReplyServer.js, particularly in reviveModel and loadServerReference, to handle object creation and cycles securely.
Adding error handling in decodeReplyFromBusboy to prevent crashes from malformed payloads.

Vulnerable functions

requireModule

packages/react-server-dom-parcel/src/client/ReactFlightClientConfigBundlerParcel.js

The `requireModule` function is vulnerable to prototype pollution. It accesses a property on `moduleExports` using a key from the `metadata` object, which can be controlled by an attacker. Without the `hasOwnProperty` check, an attacker could provide a key like `__proto__` or `constructor` to access and pollute `Object.prototype`, leading to Remote Code Execution.

requireModule

packages/react-server-dom-turbopack/src/client/ReactFlightClientConfigBundlerTurbopack.js

The `requireModule` function is vulnerable to prototype pollution. It accesses a property on `moduleExports` using a key from the `metadata` object, which can be controlled by an attacker. Without the `hasOwnProperty` check, an attacker could provide a key like `__proto__` or `constructor` to access and pollute `Object.prototype`, leading to Remote Code Execution.

requireModule

packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerNode.js

The `requireModule` function is vulnerable to prototype pollution. It accesses a property on `moduleExports` using a key from the `metadata` object, which can be controlled by an attacker. Without the `hasOwnProperty` check, an attacker could provide a key like `__proto__` or `constructor` to access and pollute `Object.prototype`, leading to Remote Code Execution.

requireModule

packages/react-server-dom-webpack/src/client/ReactFlightClientConfigBundlerWebpack.js

The `requireModule` function is vulnerable to prototype pollution. It accesses a property on `moduleExports` using a key from the `metadata` object, which can be controlled by an attacker. Without the `hasOwnProperty` check, an attacker could provide a key like `__proto__` or `constructor` to access and pollute `Object.prototype`, leading to Remote Code Execution.

reviveModel

packages/react-server/src/ReactFlightReplyServer.js

The `reviveModel` function is responsible for deserializing JSON data from the client. The patch shows a change in how properties are assigned to the revived object, specifically with a check for `__proto__`. This indicates that the original implementation was likely vulnerable to prototype pollution, where an attacker could inject a `__proto__` property in the JSON payload to modify the prototype of all objects on the server, leading to RCE.

loadServerReference

packages/react-server/src/ReactFlightReplyServer.js

`loadServerReference` is responsible for taking a reference from the client, loading the corresponding server-side code via `requireModule`, and executing it with provided arguments. The extensive refactoring of this function suggests the original implementation had security flaws in how it handled this process, allowing an attacker to control which function is executed and with what arguments, leading to RCE.

decodeReplyFromBusboy

packages/react-server-dom-webpack/src/server/ReactFlightDOMServerNode.js

This function is the entry point for processing multipart form data from the client, which can contain the malicious payload. The patch adds `try...catch` blocks around the processing logic (`resolveField`). This suggests that a malformed payload could previously crash the server or bypass security mechanisms by triggering an unhandled exception, which is an important aspect of the overall exploit.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-55182: React Server Components are Vulnerable to RCE

Impact

Patches

References

CVE-2025-55182:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Basic Information

Basic Information

10

10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-55182: React Server Components are Vulnerable to RCE

Impact

Patches

References

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-55182: React Server Components are Vulnerable to RCE

Impact

Patches

References

CVE-2025-55182:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

10

10

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-55182: React Server Components are Vulnerable to RCE

Impact

Patches

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI