Protect Against Critical RCE in React CVE-2025-5518 with Traceable WAF | Blog

A critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2025-55182, has been identified in React Server Components and Next.js, presenting a severe threat with a CVSS score of 10.0. This vulnerability, discovered by Lachlan Davidson, affects the "Flight" protocol in React's server-side rendering, allowing unauthorized attackers to execute arbitrary code by exploiting insecure deserialization. Although the vulnerability impacts numerous frameworks, Traceable by Harness WAF provided immediate protection against this class of vulnerabilities through multi-layered defenses such as Server Side Template Injection and Node.js Injection attack rules. The vulnerability affects specific versions of React and Next.js and requires immediate attention from organizations using these technologies to ensure protection through Traceable WAF and timely patching. The disclosure underscores the importance of proactive security measures and research-driven innovation to guard against evolving threats, with Traceable emphasizing rapid deployment of defenses and continuous improvement to stay ahead of potential exploits.