Security Research

Remote Code Execution Security Bug in React Server Components Patched

A React Server Function vulnerability has been patched. Please update to the latest React, Next, React Router, Vite, etc.

profile image
Jayson DeLancey
linkedin logo
profile image
Diptendu Kar
linkedin logo
profile image
Katie Paxton-Fear
linkedin logo
December 3rd, 2025
Share
x logo facebook logo linkedin logo copy icon

A security advisory disclosure reported by the React team today details a Remote Code Execution (RCE) vulnerability, CVE-2025-55182, reported by Lachlan Davidson. Here are the key points to determine if you are affected and how Semgrep Supply Chain can help verify exposure.

Key Facts

  • Three packages that allow unauthenticated Remote Code Execution (RCE) of React Server Functions have been patched.

  • A second CVE-2025-66478 had been submitted specifically for the Next dependency but all downstream frameworks that depend on these components are impacted including but not limited to: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodJS (rwsdk). As part of the disclosure, React has provided Update Instructions.

  • Hosting providers including Cloudflare, Vercel, and Railway have firewall rules in place that prevent this vulnerability from being exploited.

  • Recommendation is to update to the latest patched versions for those using React Router’s unstable RSC APIs.

Updated 2025-12-04: Added additional details of what usage patterns of React Server Components look like and how it can be abused.

For Our Customers

Semgrep Supply Chain has coverage for these dependencies so a project scan will show if these dependencies are present in your codebase.

Affected Packages

If you don't use Semgrep Supply Chain and are using any of these packages (or your dependencies and bundled or transitive dependencies do) you should update to the latest.

next@>=14.3.0-canary.77<15.0.5

next@>=15.1.1-canary.0<15.1.9

next@>=15.2.0-canary.0<15.2.6

next@>=15.3.0-canary.0<15.3.6

next@>=15.4.0-canary.0<15.4.8

next@>=15.5.1-canary.0<15.5.7

next@>=16.0.0-canary.0<16.0.7

react-server-dom-parcel@=19.0

react-server-dom-parcel@>=19.1.0<19.1.2

react-server-dom-parcel@=19.2.0

react-server-dom-turbopack@=19.0

react-server-dom-turbopack@>=19.1.0<19.1.2

react-server-dom-turbopack@=19.2.0

react-server-dom-webpack@=19.0

react-server-dom-webpack@>=19.1.0<19.1.2

react-server-dom-webpack@=19.2.0

What is Remote Code Execution (RCE)

Remote Code Execution is a security vulnerability that can be exploited by allowing a malicious user to send inputs into a function that tricks the server into running that code in a protected environment. This is a critical vulnerability, in all but a few sandbox environments, as it allows an attacker to run any arbitrary code on the host typically without restrictions. In this case this was made possible due to an insecure deserialization of HTTP payloads that were later used to search React modules and exports, invoking whatever modules the attacker wanted.

What Do React Server Functions Look Like

React Server Functions are created using the use server directive. These are functions that are guaranteed to run on the server, but can be invoked from components as if they were local. Let’s imagine we have a notes application, when we click a button we want to create a new note. Seems simple but we don’t want the code that creates the note exposed to the client and bundled with our front end. Instead, we want to prompt react to use a network request, similar to an API endpoint, but we don’t need to write an official API route.

"use server";
export async function createNote(formData: FormData) {
  await db.notes.create();
}

This is used in client code like this:

import { createNote } from "./actions";

export default function ServerComponent() {
  return (
    <form action={createNote}>
      <Button type="submit">Create note</Button>
    </form>
  );
}

How This Can Be Abused

Remote code executions are considered critical vulnerabilities for a reason, they present attackers with a buffet of exploitation options to use, from accessing sensitive data or intellectual property, to finding tokens, to installing typical malware or a crypto-miner on the infrastructure. These are often a first-port-of-call for would-be attackers, as they allow them to gain initial access and then persist on the network. Once they have access they can then pivot to a lucrative ransomware or crypto mining campaign. They are some of the worst attacks any organization can have, and it is important not to sit idle when these CVEs are discovered, React may just be handling your form inputs, while also handing over the keys to your castle.

Recommendations

Follow the Update Instructions provided by React to versions 19.0.1, 19.1.2, or 19.2.1 if you are currently using any impacted packages.

Privacy Policy

About

semgrep logo

Semgrep enables teams to use industry-leading AI-assisted static application security testing (SAST), supply chain dependency scanning (SCA), and secrets detection. The Semgrep AppSec Platform is built for teams that struggle with noise by helping development teams apply secure coding practices.

Dive deeper into Security Research or continue reading our featured posts.

December 2, 2025
Protect Against Open Source Malware Attacks with Semgrep Supply Chain
profile image
Nabeel Saeed
November 11, 2025
Catching IDORs, Broken Authorization, and Other Logic Issues with Semgrep AI-Powered Detection
profile image
Jack Moxon
November 6, 2025
Semgrep Community Edition Fall Release 2025
profile image profile image
Jaweed Metz Milan Williams

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo