The disclosed vulnerability, tracked as CVE-2025-55182, is a maximum-severity security flaw affecting React Server Components (RSC) and Next.js frameworks. It arises from a logical deserialization flaw where React improperly processes and decodes payloads sent to Server Function endpoints. An unauthenticated attacker can craft malicious HTTP requests that, when deserialized by React, lead to arbitrary JavaScript code execution on the server. This vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of npm packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. For Next.js, versions >=14.3.0-canary.77, >=15, and >=16 are affected, with patches released in versions 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5. The flaw extends to any library bundling RSC, including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku. The root cause is unsafe deserialization logic that fails to validate or sanitize incoming payloads, allowing attackers to execute arbitrary code remotely without authentication or user interaction. Cloud security firm Wiz reports that 39% of cloud environments have vulnerable instances. The vulnerability was responsibly disclosed by security researcher Lachlan Davidson on November 29, 2025. Given the criticality and ease of exploitation, immediate patching is essential to mitigate risks.

For European organizations, this vulnerability presents a significant risk to web applications and cloud services built on React Server Components and Next.js. Exploitation can lead to full server compromise, enabling attackers to execute arbitrary code, steal sensitive data, manipulate application logic, or deploy further malware. This can disrupt business operations, cause data breaches, and damage reputations. The unauthenticated nature of the exploit means attackers do not require credentials or user interaction, increasing the likelihood of automated attacks and widespread exploitation. Organizations relying heavily on React and Next.js for customer-facing or internal applications, especially those handling personal data under GDPR, face heightened regulatory and financial risks. Cloud environments hosting vulnerable applications are particularly at risk of lateral movement and persistent compromise. The broad adoption of these frameworks in Europe’s digital economy amplifies the potential impact.

European organizations should immediately inventory their applications and dependencies to identify usage of affected React Server Components and Next.js versions. They must upgrade to the patched versions: React RSC packages to 19.0.1, 19.1.2, or 19.2.1 and Next.js to versions 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5. Where upgrading is not immediately feasible, organizations should implement strict network controls to restrict access to Server Function endpoints, such as IP whitelisting and Web Application Firewalls (WAF) with custom rules to detect and block suspicious payloads. Code audits should be conducted to ensure no unsafe deserialization or insecure payload handling exists beyond the known vulnerable packages. Monitoring and logging of server function endpoint traffic should be enhanced to detect anomalous requests. Additionally, organizations should engage in proactive threat hunting for signs of exploitation and prepare incident response plans. Vendors and third-party service providers using these frameworks should be engaged to confirm patch status and mitigation measures.