Admins and defenders gird themselves against maximum-severity server vuln
Maximum-Severity Server Vulnerability Exposed: What You Need to Know
A critical vulnerability has been disclosed in React Server, an open-source package widely used by websites and in cloud environments. The vulnerability, tracked as CVE-2025-55182, has a severity rating of 10, the highest score possible, due to its ease of exploitation and the potential for remote code execution.
What is React Server?
React Server is a component of the React framework that allows remote devices to render JavaScript and content more quickly and with fewer resources required. It's used by an estimated 6% of all websites and 39% of cloud environments. When end users reload a page, React Server allows servers to re-render only parts that have changed, a feature that drastically speeds up performance and lowers the computing resources required by the server.
How Does the Vulnerability Work?
The vulnerability resides in Flight, a protocol found in the React Server Components. Next.js has assigned the designation CVE-2025-66478 to track the vulnerability in its package. According to Wiz and fellow security firm Aikido, the vulnerability stems from unsafe deserialization, the coding process of converting strings, byte streams, and other "serialized" formats into objects or data structures in code.
Hackers can exploit the insecure deserialization using payloads that execute malicious code on the server. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.
Exploitation Details
Security firm Wiz said exploitation requires only a single HTTP request and had a "near-100% reliability" in its testing. Multiple software frameworks and libraries embed React implementations by default. As a result, even when apps don't explicitly make use of React functionality, they can still be vulnerable, since the integration layer itself invokes the buggy code.
Affected Components
The following third-party components are known to be affected:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
- Next.js
Patching and Mitigation
Patched React versions include stricter validation and hardened deserialization behavior. Developers and admins are advised to upgrade React and any dependencies that rely on it. Users of any of the Remote-enabled frameworks and plugins mentioned above should check with the maintainers for guidance.
Real-World Implications
This vulnerability highlights the importance of secure coding practices and the need for regular updates and patches. It also underscores the potential risks associated with using open-source components and the importance of monitoring and addressing vulnerabilities in a timely manner.
Forward-Looking Thoughts
As the use of cloud environments and distributed systems continues to grow, the potential attack surface for vulnerabilities like this one will only increase. It's essential for developers, admins, and security professionals to stay vigilant and proactive in addressing these risks.
In the words of one researcher, "I usually don't say this, but patch right freakin' now." The React CVE listing (CVE-2025-55182) is a perfect 10.
