In the server components of the React web framework (RSC, React Server Components) eliminated vulnerability (CVE-2025-55182), which made it possible to execute arbitrary code on the server by sending a request to the server handler. The problem has been assigned a critical level of danger (10 out of 10). The vulnerability appears in the experimental components react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, used to perform functions and form interface elements on the server, rather than on the client side.
The problem is caused by unsafe deserialization of data received in HTTP requests to server-side handlers. The “vm#runInThisContext”, “vm#runInNewContext”, “child_process#execFileSync”, and “child_process#execSync” handlers can be used to run commands on the system or execute JavaScript code in the context of the current process (bypassing sandbox isolation). It is also possible to use the “fs#readFileSync” and “fs#writeFileSync” handlers to read and write arbitrary files on the server, as far as current access rights allow. The attack does not require authentication. exploit prototype available.
The vulnerability of sites to the vulnerability depends on the use of the vulnerable server components react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack on them or their installation on the server. Applications that do not use react-server are not affected by the vulnerability. The extent to which the vulnerability affects production systems that use React is not yet clear. On the one hand, React is one of the most popular web frameworks (used by approximately 6% of websites), and vulnerable components are developed in the main repositories and are included in