—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in React Server Components 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

react-server-dom-webpack versions 19.0, 19.1.0, 19.1.1, and 19.2.0

react-server-dom-parcel versions 19.0, 19.1.0, 19.1.1, and 19.2.0

react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1, and 19.2.0

Overview

A vulnerability has been reported in React Server Components which could allow an unauthenticated remote attacker to execute arbitrary code on the targeted system.

Target Audience:

Organizations and individuals using the affected React server.

Risk Assessment:

Potential for remote code execution, system compromise and sensitive data exposure.

Impact Assessment:

High risk of system compromise and service disruptions.

Description

React (React.js) is an open-source JavaScript library designed for creating application user interfaces.

This vulnerability exists due to unsafe deserialization of attacker-controlled input inside the React Server Components (RSC) ‘Flight’ protocol. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP request to an endpoint that processes RSC payloads and execute arbitrary code on the targeted system.

Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.

Solution

Apply appropriate software updates as mentioned by the vendor:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Vendor Information

React

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

References

React

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

CVE Name

CVE-2025-55182

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmky7uoACgkQ3jCgcSdc

ys/5kA/8CRj63zD3+nGh+DjDH8fqUVoWrImHzN20Lzvh7RvT45gB8fkImaO6CjlB

3nEdWB7yYI3fQbWXA63Mv2zivfM9JOJLqnn8xW9WyjxgBdga5ioN0jVFEmQNHe8J

Jv71yMWaqSQhBzOWXtZihKorhMXbPU2/Ll3HyAjf4XDLpT8Kipqie9LLGTXp03dw

u5Ac/B26y1YVooBgQJHkLy6FWRijTasUp0l3fKmuIsNECAL6UFXvRi7xpU0mGmct

xzW0n0YXPE/9KsERx33XTCLUMBix4WjSvmcMaEwkwbbYAu98EZDtihAO26HnGrkd

vupUWu48aQobYYLHn00e93YUMXvIgJc5Hi38uvusHAookQNCDlJVoHpgQLsZXuwZ

7SLi7dg2nlHB4RcddElC3tbdFL0HFHGRT9PbgSjQOwpmSomGgJDAXRGym86sfofq

zbQ5J+bT1dSwLkr9X7K+i1fERlcrUPKwxdaHGbGisbt9s663hSFuoE1iEUNa2wWh

LVJExr1i1eGK9UDmLDX7WiC6lU6hSTKwsAetNwDDUc0cV6e4A7LMQj/kM46OvwrT

penr4Vu3cyL2+b4tZ1OXIw1+9KdedMYvI9dTxFZQrsb/JvZnhV84E5ffE40aTPxa

kjclh/oagndsrjP0Ctk3yCnZU/nKw/6CQXdeMLy8vg84Nj5SIXE=

=jM/z

—–END PGP SIGNATURE—–