Overview
- CVE-2025-55182 stems from unsafe deserialization in the React Server Components Flight protocol, enabling unauthenticated remote code execution via crafted HTTP requests.
- React fixed the issue in versions 19.0.1, 19.1.2, and 19.2.1 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack after disclosure on December 3.
- Next.js tracked downstream impact as CVE-2025-66478 with patches in 15.0.5–15.5.7 and 16.0.7, though AWS notes this CVE has been rejected as a duplicate of the React CVE; Pages Router and Edge Runtime are not affected.
- Cloudflare activated network-wide WAF rules on December 2 and AWS updated its managed WAF set, but both providers stress these are interim defenses that do not replace upgrading and rebuilding.
- Researchers report no confirmed in-the-wild exploitation yet, warn attempts are likely imminent, highlight impact across other RSC adopters (React Router RSC preview, Vite/Parcel plugins, Redwood, Waku), and cite Wiz’s estimate that about 39% of cloud environments contain vulnerable instances.