CVE-2025-55182: React Server Components RCE Now on KEV, Patch Urgently

CISA’s addition of CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) Catalog escalates a maximum-severity remote code execution risk in React Server Components into an operational emergency for federal networks and a critical remediation priority for every organization that hosts server-rendered React applications.

Background / Overview​

React Server Components (RSC) were promoted as a performance and developer-experience feature that shifts rendering work to the server. The mechanism that carries data between client and server—the so-called React Flight protocol—serializes component state and server actions into compact payloads that the server decodes and executes. A flaw in that decoding path creates an unsafe deserialization condition: specially crafted payloads can cause the server to execute attacker-controlled code with the privileges of the application. The React team and multiple vulnerability databases identify this issue as CVE-2025-55182 with a CVSS score of 10.0, affecting react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in React 19.x releases. CISA’s KEV process—established by Binding Operational Directive BOD 22‑01—is explicitly designed to convert evidence of in-the-wild exploitation into mandatory remediation timelines for the Federal Civilian Executive Branch (FCEB). When an item lands on KEV it becomes a must-fix for federal agencies by the specified due date; private-sector organizations receive a de facto operational directive to prioritize remediation. The announcement adding this React Server Components flaw to the KEV Catalog signals that the agency views evidence of exploitation or active weaponization as sufficiently credible to impose accelerated action.

---

What the flaw actually is — technical summary​

The root cause: unsafe deserialization (CWE-502)​

At its core, CVE-2025-55182 is an instance of deserialization of untrusted data. The Flight protocol accepts serialized payloads from HTTP requests directed at Server Function endpoints; those payloads are deserialized and interpreted by server-side React code. The deserialization routine in affected package versions does not properly validate or restrict types and inputs, enabling an attacker to craft payloads that result in arbitrary JavaScript execution on the server. Multiple vendor advisories and community trackers confirm the deserialization root cause and identify the precise affected components.

Affected packages and versions​

The vulnerability affects these Meta-supplied packages and version ranges:

• react-server-dom-webpack: 19.0.0 – 19.2.0
• react-server-dom-parcel: 19.0.0 – 19.2.0
• react-server-dom-turbopack: 19.0.0 – 19.2.0

Patched releases are available in the 19.x lines (for example, 19.0.1, 19.1.2, 19.2.1) and downstream frameworks that embed these packages (such as Next.js) have already pushed or are preparing upgrades. React’s official disclosure and independent advisories list the patched versions and mitigation guidance.

Exploitability and impact​

• Attack vector: network (HTTP request to a Server Function endpoint)
• Authentication: none required — unauthenticated attackers can target exposed endpoints
• Impact: arbitrary code execution as the application user; in many server deployments that can lead to full server or container compromise, credential theft, lateral movement, and supply-chain tampering
• Ease of exploitation: high — public proof-of-concept samples and scanning tools appeared quickly after disclosure, and multiple security vendors report high reliability of exploit attempts in test environments.

---

Evidence of active exploitation and CISA’s KEV action​

Multiple high-quality sources note the rapid emergence of proof-of-concept exploit code, scanning activity, and in-the-wild abuse of the flaw shortly after disclosure. React’s own advisory and national CERTs describe public PoCs and active probing; independent security vendors reported widespread scanning for internet-exposed Server Function endpoints within days. These telemetry signals are the same types of evidence CISA uses to justify KEV listings: confirmed exploitation or high-confidence exploit telemetry against real systems. CISA’s KEV addition elevates the vulnerability from a high-profile technical disclosure to an operational compliance item for federal agencies under BOD 22‑01. That step typically shortens remediation windows and increases pressure on downstream suppliers and hosting platforms to act rapidly. For administrators and security teams this means switching from “assess” to “patch now / mitigate now.”
Caveat — verification note: automated retrieval of some CISA pages may be inaccessible from tooling, but the advisory that formed the basis of this article was circulated publicly and is represented in industry feeds and the CISA KEV catalog updates; treat the KEV assignment as authoritative operational guidance for affected federal entities while private-sector teams should treat it as high-priority actionable intelligence.

---

Vendor response and mitigation options​

What Meta / React and framework maintainers have done​

The React team published an urgent advisory, assigned CVE-2025-55182, and released patched packages on the 19.x lines. Frameworks that integrate RSC (notably Next.js versions across 14–16 where relevant integrations exist) have either released updates or published immediate recommendations to upgrade and to review server-function exposure. The React advisory explicitly recommends upgrading to the patched package versions and auditing server-function endpoints.

Short-term mitigation strategies​

If immediate patching is not possible, organizations have several interim mitigations:

• Deploy WAF rules: major WAF vendors and cloud providers rolled out emergency rules to block exploit payload patterns. Vendors such as Cloudflare, F5, and others announced signatures and cloud WAF rules to detect and block malicious Flight payloads. These are stopgaps, not cures.
• Restrict access to Server Function endpoints: if Server Function endpoints are not required to be public, place them behind internal networks, VPNs, or IP allow-lists.
• Harden logging and runtime detection: enable process spawn monitoring, outbound connection restrictions, and EDR rules that detect arbitrary JavaScript process creation or suspicious commands emerging from web processes.
• Inventory and build-image scans: scan package-locks, container images, and CI artifacts for vulnerable react-server-dom-* packages and remediate the build pipeline.

Permanent fix​

Install the vendor-supplied patches in application build pipelines and production environments, rebuild and redeploy containers/servers, and rotate any credentials or tokens that may have been exposed in affected systems. For platform providers and PaaS vendors, roll fixes into runtime images and ensure hosted apps are rebuilt with updated dependencies.

---

Operational checklist for WindowsForum readers — prioritized, actionable steps​

• Inventory: identify all projects, monorepos, and images that reference any react-server-dom-* packages or include React 19.x server features. Scan build artifacts, package-lock.json / pnpm-lock.yaml / yarn.lock, and container images.
• Patch: upgrade server-side React packages to patched versions (e.g., 19.0.1, 19.1.2, 19.2.1 or later) and apply framework patches for Next.js and other integrators. Rebuild and redeploy.
• Apply temporary controls if you cannot patch immediately: enable WAF rules from your provider, restrict access to Server Function endpoints, and block suspicious patterns at ingress.
• Hunt: search logs for anomalous requests that target Server Function endpoints, unexpected process creation by app servers, and outbound connections or data exfil channels originating from web server processes.
• Monitor: subscribe to vendor advisories, CISA KEV updates, NVD/CVE pages, and reputable vendor threat feeds for PoC changes or follow-on exploits.
• Report & escalate: if you detect signs of compromise, isolate affected hosts, preserve forensic artifacts, and notify incident response teams and the appropriate authorities, including CISA if federal assets are involved.

---

Why this is worse than a typical library bug​

• Unauthenticated network RCE: unlike many library flaws that require authentication or chained conditions, CVE-2025-55182 can be triggered by unauthenticated HTTP requests to exposed endpoints, dramatically increasing exposure.
• High reliability PoCs: early exploit samples demonstrated a high success rate in testbeds, reducing attacker effort and increasing opportunistic exploitation.
• Broad distribution through frameworks: many modern web frameworks (notably Next.js) embed React’s server packages; so the vulnerability propagates from a dependency into a large set of production web apps.
• Server-side JavaScript execution surface: the exploit leads to arbitrary JavaScript execution on the server, which often maps directly to command execution (spawned processes, file writes, secret access) in typical Node.js/hosting environments.

---

Risk scenarios and what attack chains look like in practice​

• Initial access: attacker sends crafted Flight/Server Function payload to an exposed endpoint and gains code execution in the web process.
• Privilege escalation and lateral move: attacker dumps secrets from environment variables, recovers service account tokens, or leverages misconfigurations to pivot to databases, storage buckets, or orchestration APIs.
• Supply-chain tampering: compromised build servers or CI runners could be used to inject malicious code into images and packages that later reach production and customers.
• Ransomware / data theft: full server control can be leveraged to deploy extortion malware, encrypt data, or exfiltrate sensitive files.

Detection requires looking for unusual child processes spawned from web server processes, newly created admin accounts, or modified deployment manifests and images.

---

Strengths of the ecosystem response — and remaining weaknesses​

Notable strengths​

• Rapid vendor disclosure and patches: Meta’s React team published a disclosure and released patched packages quickly, and major framework providers responded rapidly with updates and guidance.
• WAF and CDN mitigations: multiple security vendors rolled out WAF signatures and cloud mitigations within 24–48 hours, giving organizations a temporary protective layer.
• National-level coordination: multiple national CERTs and vulnerability databases (NVD, Cyber Centre Canada) and private-sector trackers documented the flaw and coordinated guidance, improving global situational awareness.

Remaining weaknesses and risks​

• Dependency sprawl: modern monorepos and legacy containers often bake in vulnerable packages that are not visible to application owners, creating blind spots in remediation.
• Build pipelines and CI/CD exposure: vulnerable package versions cached in artifact repositories or CI images require pipeline-wide updates—simply patching a deployed container is insufficient if the build system remains compromised.
• False sense of security from WAFs: while helpful, WAF rules are temporary mitigations and can be bypassed as PoCs evolve; they do not replace the need for upstream patching.

---

Practical guidance for different roles​

For developers​

• Immediately run repository-wide scans for react-server-dom-* packages and update dependencies.
• Add explicit dependency checks into CI (SCA tools) to prevent reintroducing vulnerable versions.
• Avoid exposing Server Function endpoints publicly unless strictly required.

For DevOps / platform engineers​

• Rebuild and redeploy containers and server images with patched packages; rotate CI secrets and service account keys if any exposure is suspected.
• Ensure cloud-native WAF or perimeter protections are enabled while rolling patches.
• Harden runtime execution contexts: reduce privileges for app processes, enable process restrictions, and lock down outbound network flows.

For security operations / incident responders​

• Prioritize hunting on internet-facing apps that use RSC or Next.js App Router.
• Implement detection rules for unexpected Node.js child processes, suspicious outbound connections from web servers, and modifications to deployment manifests.
• Prepare incident playbooks for rapid isolation and forensic preservation.

---

Long-term lessons and strategic follow-ups​

• Treat server-side JavaScript features as high-risk primitives: features that allow server-side execution of client-originated payloads deserve the same scrutiny as legacy deserialization APIs.
• Strengthen software composition and build governance: ensure that production images and CI caches are scanned and that dependency updates propagate automatically into release pipelines.
• Integrate KEV and national CERT feeds into your vulnerability management: when CISA or another authority places a CVE on a KEV-style list, treat it as an operational priority trigger.

---

Conclusion​

CVE-2025-55182 is a textbook example of how modern convenience features—designed to improve developer productivity and app performance—can introduce catastrophic attack surfaces when deserialization and execution boundaries are not tightly controlled. The vulnerability’s maximum CVSS score, public proof-of-concept activity, and CISA’s decision to add it to the KEV Catalog make the risk immediate and non-negotiable for federal networks and highly urgent for private-sector operators.
The defensive playbook is straightforward: inventory, patch, rebuild, and harden. Where immediate patching is impossible, deploy layered mitigations (WAF, access restrictions, enhanced detection). Operational teams should assume the exploit is being actively scanned in the wild and act accordingly; the cost of delay is too high when unauthenticated remote code execution is in play.
For WindowsForum readers responsible for web applications and hosting stacks, this event is both a warning and an opportunity: adopt stricter dependency hygiene, accelerate CI/CD security, and treat server-side features that accept client payloads as critical risk points in architecture reviews. Rapid, disciplined action now will close the window of opportunity for opportunistic attackers and reduce the likelihood of costly post-compromise recovery later.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA