Beeks Security Advisory: CVE-2025-55182 – Critical React Server Components Vulnerability

Severity: Critical (CVSS 10.0) 

A critical security vulnerability has been disclosed affecting React Server Components (RSC) in specific versions of the React framework. The issue impacts commonly used server-side React packages and may be relevant to organisations operating modern web applications that expose server function endpoints.

The vulnerability, tracked as CVE-2025-55182, affects the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. It arises from unsafe deserialization of HTTP request payloads sent to Server Function endpoints, which could allow a remote attacker to execute arbitrary commands on affected systems.

Successful exploitation could compromise the confidentiality, integrity, and availability of impacted applications and underlying infrastructure. As part of Beeks’ commitment to supporting operational resilience and cyber risk management, this advisory is intended to help organisations assess exposure and implement appropriate mitigations.

Affected Operating Systems: 

• react-server-dom-webpack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• react-server-dom-parcel versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0

Immediate Recommended Actions: 

• Apply the patch released by React for the impacted systems detailed in the link below. 
  • https://github.com/facebook/react/releases/tag/v19.0.1
  • https://github.com/facebook/react/releases/tag/v19.1.2
  • https://github.com/facebook/react/releases/tag/v19.2.1
• If you are unable to patch vulnerable systems, please follow:
  • Remove public exposure of vulnerable endpoints.
    • Restrict access to server endpoints to trusted networks or VPN.
    • Apply strict firewall rules to block external access.
    • Deploy WAF rules to block exploitation attempts (Google Cloud Armor has released a preconfigured rule for CVE-2025-55182).
  • Monitor for indicators of compromise
  • Unexpected server-side execution patterns
  • Suspicious HTTP requests to RSC endpoints

Further Information:

For detailed information on the vulnerability, please refer to the Critical Security Vulnerability in React Server Components – React

We understand the seriousness of this issue and the potential impact on your operations. Please take immediate action to secure your systems and mitigate any potential risks. 

If you have any questions or require further assistance, please contact [email protected] or reach out to your Beeks account representative.

Note: This advisory is issued to ensure the security of your systems and to prevent unauthorised access to your sensitive data. We are committed to providing you with the latest security information and support to safeguard your infrastructure. 

Beeks will continue to monitor this and related vulnerabilities and provide updates through our Security Advisory.