Critical RCE Flaw Found in React Server Components

- The vulnerability, assigned CVE-2025-55182, exists in the "Flight" protocol, which is how React Server Components serialize data for communication. The core of the exploit is an unsafe deserialization flaw, allowing a specifically crafted, unauthenticated HTTP request to control how the server reconstructs data, leading to code execution. - Security researcher Lachlan Davidson reported the vulnerability on November 29, 2025. Following its public disclosure on December 3rd, mass scanning began within hours, and threat actors, including cryptomining operations and state-sponsored groups, were observed actively exploiting it in the wild. - The exploit works by tricking the server's deserialization logic into creating a fake Promise object. By manipulating React's internal `then` logic and abusing the `Function()` constructor, an attacker can execute arbitrary JavaScript on the server. - In response, Vercel launched an aggressive bug bounty program on HackerOne, initially offering $50,000 for every unique method that could bypass its Web Application Firewall (WAF) protections. The company ultimately paid out $1 million for 20 unique bypass techniques, which helped it block over 6 million exploit attempts. - The attack surface for this vulnerability exists before authentication and application-level middleware, as it targets the framework's own request processing pipeline for RSCs. Attackers were observed primarily scanning for open port 3000, the default for Next.js development servers. - The increased scrutiny on this part of the codebase following the initial discovery led to the identification of two additional, related vulnerabilities: one that could cause a Denial of Service (DoS) and another that could lead to the exposure of server-side secrets and source code.