AIKIDO-2025-10866
react-server-dom-webpack is vulnerable to Remote Code Execution (RCE)
100
Critical Risk
This Affects:
react-server-dom-webpackTL;DR
Affected versions of this package are vulnerable to unauthenticated remote code execution due to a flaw in how React Server Components decode payloads sent to Server Function endpoints. The issue can be exploited even if no Server Function endpoints are explicitly implemented. Attackers can craft malicious HTTP requests that lead to code execution on the server. Users of affected frameworks such as Next.js, react-router, waku, Parcel RSC, Vite RSC, and Turbopack should upgrade immediately.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
react-server-dom-webpack is vulnerable to Remote Code Execution (RCE) in versions 19.0.0 - 19.0.2, 19.1.0 - 19.1.3 and 19.2.0 - 19.2.2.
How to fix this
Upgrade the react-server-dom-webpack library to the patch version.
Links
react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsfacebook.com/security/advisories/cve-2025-55182openwall.com/lists/oss-security/2025/12/03/4news.ycombinator.com/item?id=46136026aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant