69 comments

[ 4.7 ms ] story [ 85.9 ms ] thread
CVE 10.0 is bonkers for a project this widely used
It's almost like trying to magically wire up your frontend to the backend through magical functions is a bad idea.
The CVE says the that flaw is in React Server Components, which implies strongly that this is a RCE on the backend (!!), not the client.
From Facebook/Meta: https://www.facebook.com/security/advisories/cve-2025-55182

> A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

React's own words: https://react.dev/blog/2025/12/03/critical-security-vulnerab...

> React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.

> An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.

"React Server Functions allow a client to call a function on a server"

Intentionally? That's a scary feature

I suspect the commit to fix is:

https://github.com/facebook/react/commit/bbed0b0ee64b89353a4...

and it looks like its been squashed with some other stuff to hide it or maybe there are other problems as well.

this pattern appears 4 times and looks like it is reducing the functions that are exposed to the 'whitelist'. i presume the modules have dangerous functions in the prototype chain and clients were able to invoke them.

      -  return moduleExports[metadata.name];
      +  if (hasOwnProperty.call(moduleExports, metadata.name)) {
      +    return moduleExports[metadata.name];
      +  }
      +  return (undefined: any);
till this day, I don't know the substantial benefits of React Server Components over say classically rendered html pages + using htmx ?

mind you react in 2017 paid my rent. now cz of the complexity I refuse to work with react.

> Projects hosted on Vercel benefit from platform-level protections that already block malicious request patterns associated with this issue.

https://vercel.com/changelog/cve-2025-55182

> Cloudflare WAF proactively protects against React vulnerability

https://blog.cloudflare.com/waf-rules-react-vulnerability/

I patched and rebuilt what I could and added custom Crowdsec WAF rules for this, in case I missed something.
(comment deleted)
I'm not a javascript person so I was trying to understand this. if i get it right this is basically a way to avoid writing backend APIs and manually calling them with fetch or axios as someone traditionally would do. The closest comparison my basic java backend brain can make is dynamically generating APIs at runtime using reflection, which is something I would never do... I'm lazy but not dumb
It's an RPC. They're half a century old. Java had RMI within a year of existence. [0]

> In remote procedure call systems, client-side stub code must be generated and linked into a client before a remote procedure call can be done. This code may be either statically linked into the client or linked in at run-time via dynamic linking with libraries available locally or over a network file system. In either the case of static or dynamic linking, the specific code to handle an RPC must be available to the client machine in compiled form... Dynamic stub loading is used only when code for a needed stub is not already available. The argument and return types specified in the remote interfaces are made available using the same mechanism. Loading arbitrary classes into clients or servers presents a potential security problem;

https://pdos.csail.mit.edu/archive/6.824-2009/papers/waldo-r...

Anyone know how Tanstack Start isn't affected?
This vulnerability is basically the worst-case version of what people have been warning about since RSC/server actions were introduced.

The server was deserializing untrusted input from the client directly into module+export name lookups, and then invoking whatever the client asked for (without verifying that metadata.name was an own property).

    return moduleExports[metadata.name]

We can patch hasOwnProperty and tighten the deserializer, but there is deeper issue. React never really acknowledged that it was building an RPC layer. If you look at actual RPC frameworks like gPRC or even old school SOAP, they all start with schemas, explicit service definitions and a bunch of tooling to prevent boundary confusion. React went the opposite way: the API surface is whatever your bundler can see, and the endpoint is whatever the client asks for.

My guess is this won't be the last time we see security fallout from that design choice. Not because React is sloppy, but because it’s trying to solve a problem category that traditionally requires explicitness, not magic.

To me it just looks like unacceptable carelessness, not an indictment of the alleged "lack of explicitness" versus something like gRPC. Explicit schemas aren't going to help you if you're so careless that, right at the last moment, you allow untrusted user input to reference anything whatsoever in the server's name space.
> The server was deserializing untrusted input from the client directly into

If I had a dollar for every time a serious vulnerability that started like this was discovered in the last 30 years...

> it’s trying to solve a problem category that traditionally requires explicitness, not magic.

i've been thinking basically this for so long, i'm kinda happy to be validated about this lol

> We can patch hasOwnProperty and tighten the deserializer, but there is deeper issue. React never really acknowledged that it was building an RPC layer. If you look at actual RPC frameworks like gPRC or even old school SOAP, they all start with schemas, explicit service definitions and a bunch of tooling to prevent boundary confusion. React went the opposite way: the API surface is whatever your bundler can see, and the endpoint is whatever the client asks for.

> My guess is this won't be the last time we see security fallout from that design choice. Not because React is sloppy, but because it’s trying to solve a problem category that traditionally requires explicitness, not magic.

Now I'm worried, but I don't use React. So I will have to ask: how does SvelteKit fares in this aspect?

Just like the old days of PHP servers exposing their source code
Indeed this is pretty bad.

The vast majority of developers do not update their frameworks to the latest version so this is something that will linger on for years. Particularly if you're on Next something-like-12 and there's breaking changes in order to go to 16 + patch.

OTOH this is great news for bad actors and pentesters.

while(true){

  console.log("jsjs")

}
How do hackers exploit it? Can I test it on my site?
Next.js/RSC has become the new PHP :)

I guess now we'll see more bots scanning websites for "/_next" path rather than "/wp-content".

Inevitable when the line between the client and the server is blurred this much. RCE in a UI library is not a phrase you hear often.
I have seen a number of attempts at exploiting this on our deployment already. Luckily I saw and was able to apply the patch last night, but as a European, it wasn't great to only get the announcement after dinner time.
Why does the react development team keeps investing their time on confusing features that only reinvent the wheel and cause more problems than solve?

What does server components do so much better than SSR? What minute performance gain is achieved more than client side rendering?

Why won’t they invest more on solving the developer experience that took a nosedive when hooks were introduced? They finally added a compiler, but instead of going the svelte route of handling the entire state, it only adds memoization?

If I can send a direct message to the react team it would be to abandon all their current plans, and work on allowing users to write native JS control flows in their component logic.

sorry for the rant.

I agree. Incoming hot take.

IMO, a big part of it is the lack of competition (in approach) exacerbated by the inability to provide alternatives due to technical/syntactical limitations of JavaScript itself.

Vue, Svelte, Angular, Ripple - anything other than React-y JSX based frameworks require custom compilers, custom file-types and custom LSPs/extensions to work with.

React/JSX frameworks have preferential treatment with pre-processors essentially baking in a crude compile time macro for JSX transformations.

Rust solved this by having a macro system that facilitated language expansion without external pre-processors - e.g. Yew and Leptos implement Vue-like and React-like patterns, including support for JSX and HTML templating natively inside standard .rs files, with standard testing tools and standard LSP support;

https://github.com/leptos-rs/leptos/blob/main/examples/count...

https://github.com/yewstack/yew/blob/master/examples/counter...

So either the ECMAScript folks figure out a way to have standardized runtime & compilable userland language extensions (e.g. macros) or WASM paves the way for languages better suited to the task to take over.

Neither of these cases are likely, however, so the web world is likely destined to remain unergonomic, overly complex and slow - at least for the next 5 - 10 years.

Because Facebook has a budget for R&D, which works out to several salaries, and React is one of the biggest technical assets they have, so it's someone full time job to develop features and new versions of React to increase the moat and stock value of Meta.

It works out because it keeps a workforce of React Developers on their feet, learning about the new features, rather than doing other stuff. It's like SaSS for developers, only instead of paying a monthly subscription in cash, you have to pay a monthly subscription in man-hours.

They are taking care of the customers. The customers are front-end dev with little experience in servers, back-end and networking. So they want to run some code that changes state without having to deal with all of that infra and complexity. Preferably while remaining in the "React state". That is the attraction of Nextjs and RSC.
Totally agree. Chiming in as another React dev: I really regret the last few years of choices React has made. I don't want a React-integrated BFF layer, even on greenfield projects, hooks are awful and the whole thing just gets more awkward to solve tangentially related problems.

I really do want a good frontend framework that lets me expressively build and render dynamic frontend components, but it feels like 99% of React's development in the last few years has been just been creating churn and making that core frontend experience worse and worse. Hooks solve challenges around sharing component meta-functionality but then end up far worse for all other non-trivial cases, and it seems like RSC & concurrency just break things and add constraints instead of improving any part of my existing experience.

I guess this is cool if you're building mega-projects, but it makes React actively painful to use for anything smaller. I still use it every day, but as soon as I find a good off-ramp for my product (something similar, but simpler) I will take it. Moving towards Preact & signals currently seems like the best option for existing projects so far as I can tell.

This is genuinely embarrassing for the Next.js and React teams. They were warned for years that their approach to server-client communication had risks, derided and ignored everyone who didn't provide unconditional praise, and now this.

I think their time as Javascript thought leaders is past due.

Curious, not critical: got links to the warnings that were given about this approach over the years?

I’m interested in learning more about the history here.

Do you really need React Server Conponents or even Server Side Rendering?
Before SSR (unless you were using PHP I guess) you had to ship a shell of a site with all the conditionals being decided only AFTER the browser has gotten all the HTML + JS pulled down. If you need to make any API calls, you've delayed rendering by hundreds of milliseconds or worse (round trip to your server)

With SSR, those round trips to the server could be down to single-digit milliseconds assuming your frontend server is in the same datacenter as your backend. Plus you send HTML that has actual content to be rendered right away.

A truly functional pageload can go from seconds to milliseconds, and you're transferring less data over the wire. Better all around at the expense of running a React Server instead of a static file host.

Yes. Web applications were impossible before these libraries.
I'm fumbled around a bit and got it working, but not entirely sure if this is how it really works: have a look at https://github.com/ejpir/CVE-2025-55182-poc
Thanks for the writeup, it's incredible!
I ran your exploit-rce-v4.js with and without the patched react-server-dom-webpack, and both of them executed the RCE.

So I don't think this mechanism is exactly correct, can you demo it with an actual nextjs project, instead of your mock server?

Your lump of AI-generated slop has detracted from the response to an important vulnerability. Congratulations. Your PoC is invalid and you should delete it.
very interesting to read.

However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/

> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.

> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.

Context: This is from Lachlan Davidson, the reporter of the vulnerability

FYI as of just now, the author has (correctly) added a disclaimer that this poc doesnt quite work.
You can't have Vercel without RCE.
I'm a big fan of react, but all the server stuff was a cold hard mistake, it's only a matter of time before the (entire) react team realises it, assuming their nextjs overlords permit it.
Next is only good for it's static build, once it drops support for that I'm out.
Yeah but even there, how do you get dynamic routes for static builds?
JavaScript is meant to be run in a browser. Not on a backend server [1].

Those who are choosing JS for the backend are irresponsible stewards of their customers' data.

1- https://ashishb.net/tech/javascript/

I am betting it would be exploited in the wild in the next few days, buckle up!