CVE-2025-55182 Scanner

React Server Components and Next.js App Router are widely used across modern web ecosystems due to their ability to combine server-side logic with client-side interactivity. These technologies help organizations streamline data fetching, improve performance through streaming rendering, and simplify development workflows across distributed cloud architectures. Their integration into automated CI/CD pipelines often leads to consistent dependency versions being deployed at scale, increasing the blast radius when a core package becomes vulnerable. Because React Server Components rely on server-side execution of RSC "Flight" protocol payloads, any flaw in the protocol’s deserialization process carries significant risk. This scanner identifies environments running vulnerable RSC implementations or frameworks that embed them, such as Next.js.

The vulnerability is a critical unauthenticated remote code execution flaw caused by insecure deserialization in the RSC "Flight" protocol. An attacker can craft a malicious HTTP payload that is incorrectly validated and processed on the server, resulting in arbitrary code execution. Default application setups are affected even if developers have not implemented explicit server functions, because the RSC mechanism is active beneath the framework layer. The attack requires no authentication, making exploitation highly reliable and accessible. Since Next.js deeply integrates React Server Components, it inherits the same vulnerability, further expanding the potential attack surface. Immediate patching is required to prevent exploitation in production systems.

At the technical level, the flaw exists in how vulnerable RSC packages parse and interpret inbound protocol payloads. Affected versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack fail to enforce strict structural validation before deserialization. This allows attacker-controlled values to influence server-side evaluation, ultimately leading to remote code execution. Frameworks such as Next.js inherit this flaw through their built-in RSC support and expose reachable HTTP endpoints capable of receiving RSC traffic. Detecting these vulnerable states requires analyzing dependency manifests, lockfiles, and known framework version ranges to identify installations where insecure RSC implementations are present.

If successfully exploited, the vulnerability grants attackers full execution capability on the target server. This can result in theft of sensitive data, unauthorized modification of application logic, and compromise of stored credentials or tokens. Attackers may plant persistent backdoors, pivot laterally across cloud workloads, and manipulate rendered content to target end users. Affected infrastructure may experience service outages, integrity loss, or complete compromise of downstream systems. Because the attack vector is completely unauthenticated, widespread opportunistic exploitation is expected once public proofs of concept emerge.

REFERENCES

• https://github.com/assetnote/react2shell-scanner/blob/master/scanner.py
• https://www.facebook.com/security/advisories/cve-2025-55182
• http://www.openwall.com/lists/oss-security/2025/12/03/4
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
• https://vercel.com/changelog/cve-2025-55182