Next.js React Server Components RCE (CVE-2025-55182)

Hosting Environment Impact

This vulnerability affects every environment that exposes React Server Components Server Function endpoints to the public network.

• Next.js App Router (15.x / 16.x): Affected. RSC is a core feature, so essentially every App Router project is exposed.
• Vercel / Netlify / Cloudflare Pages: Affected. Hosting providers may have added platform-level filters, but a self-deployed Next.js with an unpatched version is still vulnerable.
• Self-hosted Node.js (next start): Affected. The most dangerous configuration — there is no hosting-side defense, so patching is the only safe path.
• Pages Router only (no App Router): Not affected. RSC is a prerequisite.

Vulnerability Mechanism

Next.js App Router Server Function endpoints accept an HTTP request body, deserialize the RSC payload (a serialized React tree + function-call spec), and invoke the matching server function. The deserialization path lacked sufficient validation of untrusted input, which lets an attacker:

• Reach unintended function references during deserialization
• Inject arbitrary object/JS expressions as call arguments
• Achieve remote code execution without authentication or user interaction

CVSS 10.0 (Critical, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) means:

• Reachable across the network (AV:N)
• Almost no preconditions (AC:L)
• No authentication needed (PR:N)
• No clicks or interaction needed (UI:N)
• Crosses authority boundaries to the hosting system (S:C)
• Full impact on confidentiality, integrity, availability (C:H/I:H/A:H)

Listing on the CISA Known Exploited Vulnerabilities catalog and an EPSS score above 82% indicate this is not theoretical — exploitation in the wild has been observed.

Patch & Mitigation

1. Upgrade to a patched version (mandatory)

Minimum safe versions per major:

# If on a 14.x canary
npm install [email protected]

# 15.x line — pick the closest patched release for your minor
npm install [email protected]    # 15.0.x
npm install [email protected]    # 15.1.x
npm install [email protected]    # 15.2.x
npm install [email protected]    # 15.3.x
npm install [email protected]    # 15.4.x
npm install [email protected]    # 15.5.x

# 16.x line
npm install [email protected]

# Or latest stable (recommended)
npm install next@latest

Upgrading to the May 2026 coordinated release (15.5.16 / 16.2.5) resolves this RCE and the 13 May advisories at the same time. Whenever possible, do this in a single upgrade cycle.

2. Temporary mitigation — limited

A CVSS 10.0 RCE cannot be reliably blocked by WAF/reverse proxy alone. The items below only reduce the exposure window until the patch is in place:

• Restrict external access to Server Function endpoints: If feasible, expose RSC actions only to internal networks or authenticated users.
• Tight request size and rate limits: Cap payload size and request rate aggressively to shrink the attack surface.
• Log and monitor: Audit Server Function call logs for anomalous payloads.
• WAF signatures: Apply hosting-WAF rules for this CVE as soon as your provider publishes them.

To repeat: these are stop-gap measures only that reduce time-at-risk; they do not block the RCE itself. Patch as fast as possible.

3. Verifying the patch

After upgrading, run the diagnosis again to confirm your installed version is outside the affected range. Also check whether other May 2026 advisories apply to your environment and bundle the fixes if so.

Summary

CVE-2025-55182 is a deserialization flaw in Next.js App Router React Server Components that allows unauthenticated remote code execution — effectively the worst-case scenario for a web framework. With the CISA KEV listing and confirmed in-the-wild exploitation, any unpatched instance is at imminent risk. Every running Next.js App Router project should be upgraded to a patched release (or the May 2026 coordinated release) immediately, with security monitoring tightened in the interim.