Next.js 13-16 CVSS 10 RCE in React Server Components

CVE-2025-55182 enables unauthenticated RCE via malicious HTTP POST to Server Function endpoints in React 19+, affecting Next.js 13-16. Frontend developers must patch immediately or risk full server compromise without credentials.

Critical React Server Components Vulnerabilities: Patch RCE, DoS, and Source Code Exposure Now

React JS developers, especially those building with React 19+ and Next.js 13-16, face an urgent security crisis. On May 13, 2026, researchers disclosed three high-severity vulnerabilities in React Server Components (RSC): CVE-2025-55182 (CVSS 10 RCE), CVE-2025-55183 (source code exposure), and CVE-2025-55184 (DoS). These flaws impact packages like react-server-dom-webpack/parcel/turbopack 19.0.0-19.2.1 and Next.js versions 13x-16x, used by millions of front end web developers for scalable apps.

Executive Summary: What Makes These Vulnerabilities Critical

CVE-2025-55182 is the most alarming—a perfect 10/10 CVSS score for remote code execution (RCE). Attackers can execute arbitrary code on your Node.js server with unauthenticated HTTP POST requests to Server Function endpoints. Shockingly, this works even if you're not using Server Actions explicitly, as long as RSC is enabled.

CVE-2025-55183 leaks Server Action logic and source code, exposing proprietary business rules or API keys. CVE-2025-55184 triggers denial-of-service (DoS) via CPU-intensive hangs, crippling production servers. Affected frameworks include Vite, React Router, RedwoodSDK, and more. News score: 8/10 urgency—patch today to avoid breaches.

As a front end web developer relying on React JS for custom web development, these hits undermine RSC's core promise: server-side rendering without client JS bloat. Production apps are at risk now.

Step-by-Step Patching Guide for React JS and Next.js

Update immediately. Here's how for key packages:

  1. React and react-server-dom: Run npm update react@19.2.2 react-dom@19.2.2 react-server-dom-webpack@19.2.2 (or 19.0.2+ for older branches, 19.1.3+ for 19.1.x). Verify with npm ls react-server-dom-webpack.
  2. Next.js: npm install next@14.2.35 (13.x), next@15.0.7 (15.x), or next@16.0.10 (16.x). Update package.json:
{\ \\"dependencies\\": {\ \\"next\\": \\"^16.0.10\\