A critical vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) allows unauthenticated remote code execution. The flaw stems from unsafe deserialization in React’s Flight protocol, specially crafted HTTP requests trigger arbitrary JavaScript execution on servers.
As Wiz Research notes, exploitation has near-100% success rate and requires no special setup. A default Next.js app created with create-next-app is immediately vulnerable.
The Response: Textbook Coordinated Disclosure
Vercel’s Guillermo Rauch: Within 72 hours, we patched React, shipped WAF mitigations for all Vercel customers, and coordinated major cloud and security providers.
Participants: AWS, Microsoft, Cloudflare, Fastly, Akamai, F5, Google, Deno, Netlify, Railway, Fly, all deployed platform protections before public disclosure.
Netlify: Thank you to React and Next.js teams for involving us early… We patched our network ahead of disclosure.
Deno similarly praised early coordination.
Impact: 39% of cloud environments had vulnerable instances. 968,000+ servers run affected frameworks.
The Bounty Question
One X commenter asked: “@reactjs what sort of thankful bounty was awarded to Lachlan for his efforts?”
Another added: “Very good question, hope he finds all undiscovered issues and gets praised.”
Answer: Neither Meta nor Vercel has publicly disclosed Lachlan Davidson’s bounty. Given CVSS 10.0 severity and ecosystem-wide impact, industry standard would be $50,000-$100,000+. But React is now under React Foundation (nonprofit), complicating bounty structures.
Davidson, lead of security innovation at Carapace, reported the flaw November 29. Public disclosure came December 3, a 4-day turnaround showing responsible disclosure works.
The “RSC Was Cursed” Debate
One skeptic wrote: “If there is one CVE, there is more undiscovered. React Server Components was cursed idea from beginning… Client side rendering is cheaper and more scalable.”
This reflects real architectural concerns: RSC introduces server-side execution complexity, expanding attack surface. As watchTowr CEO warned: “Exploitation is inevitable… someone will figure it out.”
Counter: SSR/RSC enable better SEO, faster initial loads, and secure server-only logic. The debate isn’t settled, but CVE-2025-55182 proves security must be foundational, not afterthought.
Patch Now
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5
Vercel customers have WAF protection but must still upgrade. Platform mitigations are temporary, patching eliminates the vulnerability.
