Critical React Server Components (RSC) Vulnerability: What Happened and How to Secure Your Application

React Server Components (RSC) recently became the center of a major security incident after researchers disclosed a critical remote code execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary code on affected servers. Alongside the RCE flaw, additional vulnerabilities enabling denial-of-service (DoS) attacks and server-side source code exposure were also identified.

The React core team and major frameworks such as Next.js have released security patches, and developers are strongly advised to upgrade immediately and reassess their server-side security posture.

---

What Are React Server Components (RSC)?

React Server Components (RSC) are an experimental feature introduced in the React 19 ecosystem that enables developers to render components on the server and stream UI updates to the client using a protocol known as Flight.

Instead of shipping all logic and data fetching to the browser, RSC keeps heavy computation and data access on the server. This approach offers several benefits:

• Reduced JavaScript bundle size

• Improved performance and time-to-interactive

• Simplified data-fetching patterns

• Clearer server-client boundaries

RSC is already used internally by modern frameworks such as Next.js, Remix, and other React meta-frameworks that integrate server-driven rendering into their routing and data layers.

---

The Critical RSC Vulnerability (CVE-2025-55182)

The primary vulnerability, tracked as CVE-2025-55182 and commonly referred to as “React2Shell”, is a critical unauthenticated remote code execution (RCE) flaw affecting the RSC Flight protocol.

Root Cause

The vulnerability originates from unsafe deserialization of attacker-controlled data in the server component request/response pipeline. The RSC server code incorrectly assumes trusted input, allowing malicious payloads to influence server-side execution logic.

Impact

• Attackers can send a crafted HTTP request

• No authentication or user interaction is required

• Arbitrary JavaScript code may execute on the server

• CVSS score: 10.0 (Critical)

Security researchers have already demonstrated working exploits, making immediate patching mandatory for production systems.

---

Additional RSC Vulnerabilities: DoS and Source Code Exposure

During further analysis of the RCE fix, researchers uncovered additional flaws impacting application stability and confidentiality.

Denial-of-Service (DoS)

A high-severity issue (e.g., CVE-2025-55184) allows attackers to send malicious payloads to RSC server function endpoints, triggering infinite loops that consume CPU resources until the process hangs or crashes.

Source Code Exposure

Another flaw may cause RSC responses to leak raw server-side source code or internal implementation details, increasing the risk of intellectual property theft and enabling further targeted attacks.

---

Who Is Affected?

The vulnerabilities primarily impact applications using experimental or early React Server Components support, including:

• React 19 projects with RSC enabled

• Frameworks using the Flight protocol (e.g., Next.js, Expo experimental server functions)

• Packages such as:

  • react-server

  • react-server-dom-webpack

  • Other RSC transport libraries

Projects relying on default or early-adopted RSC configurations are at the highest risk.

---

How the Attack Works (High-Level Overview)

At a high level, RSC relies on serialized Flight payloads to represent component trees, props, and server function calls exchanged between client and server.

The vulnerable code path processes these payloads with insufficient validation, allowing attackers to inject malformed data. This leads to:

• Unsafe deserialization

• Arbitrary server-side code execution (RCE)

• Infinite loops and resource exhaustion (DoS)

The issue highlights how serialization boundaries can become critical attack vectors if not properly hardened.

---

Patching and Mitigation Steps

The React team and framework maintainers have released security updates addressing these vulnerabilities.

Immediate Actions

• Upgrade React 19 and all RSC-related packages to the latest patched versions

• Update frameworks (Next.js, Expo, etc.) and regenerate lockfiles

• Rebuild and redeploy production environments

Short-Term Mitigations

• Disable experimental RSC or server functions if upgrading is not immediately possible

• Restrict public access to RSC endpoints using network controls

• Monitor logs for unusual RSC traffic patterns and CPU spikes

---

Hardening RSC in Production

Beyond patching, this incident reinforces the importance of defense-in-depth for server-rendered React applications.

Recommended Security Practices

• Apply least-privilege execution and strong process isolation

• Place RSC services behind WAFs or API gateways

• Rate-limit and validate serialized request payloads

• Maintain a consistent vulnerability management process

• Use dependency scanning and regular security audits aligned with frameworks like CIS Controls

---

Key Lessons for React Developers

The RSC vulnerability wave demonstrates how complex server-client abstractions can hide critical security assumptions. Even when using well-maintained frameworks, experimental server features should never be treated as production-safe by default.

For teams adopting React 19 and RSC:

• Roll out server features gradually

• Treat serialization boundaries as untrusted input

• Combine static analysis, runtime protections, and code reviews

• Favor explicit security controls over convenience

A security-first mindset is essential when pushing React beyond the browser and into the server.