Security Update: Critical RCE in React Server Components & Next.js (CVE-2025-55182)

A newly discovered critical remote code execution vulnerability, CVE-2025-55182, has been identified in Next.js applications that use React Server Components and Server Actions, stemming from insecure deserialization in the "Flight" protocol used by React. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server, potentially compromising the application and system. The vulnerability, which holds a CVSS score of 10.0, affects several packages, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, impacting versions 19.0.0 through 19.2.0 of React Server Components and Next.js applications using App Router (15.x, 16.x) or experimental Server Actions. Detection is possible through a specially crafted POST request that identifies the deserialization flaw by observing server error responses. Mitigation requires immediate upgrading to patched versions: React Server Components versions 19.0.1, 19.1.2, or 19.2.1 and the latest Next.js patch releases. If patching is not feasible, temporary risk mitigation can be achieved by implementing Web Application Firewall rules to block suspicious requests. Users are encouraged to update their applications promptly and consult the official release logs for specific patch versions.