## https://sploitus.com/exploit?id=3A419A31-953C-5AE3-8A3C-03BDA8766CC8
# Next.Js React Server Components (RSC) Vulnerabilities
This repository contains research notes and technical analysis of multiple security vulnerabilities affecting **React Server Components (RSC)** and **Next.js App Router** implementations.
The issues described below impact the RSC Flight protocol and Server Functions (Server Actions), and may lead to **remote code execution**, **source code disclosure**, or **denial of service** under certain conditions.
---
## Overview of affected technology
React Server Components rely on an internal serialization protocol known as **React Flight** to exchange data between the client and the server.
Next.js builds on top of this protocol to implement:
- App Router (`/app`)
- Server Components
- Server Functions / Server Actions
- RSC streaming responses (`text/x-component`)
Several vulnerabilities were identified in how **untrusted HTTP input** is deserialized and processed by the RSC runtime.
---
## CVE-2025-55182 โ React Server Components Remote Code Execution
### Description
CVE-2025-55182 is a **pre-authentication remote code execution (RCE)** vulnerability caused by unsafe deserialization logic in the React Flight protocol.
By sending a specially crafted HTTP `POST` request to a Server Function endpoint, an attacker may exploit **prototype pollution** during Flight payload deserialization.
This can result in arbitrary JavaScript execution on the server.
This vulnerability has been reported as **actively exploited in the wild**.
The vulnerability exists in the React Flight protocol's deserialization logic. By sending a malicious payload via HTTP POST, an attacker can achieve prototype pollution that leads to arbitrary code execution on the server.
https://github.com/sickwell/CVE-2025-55182/blob/main/cve-2025-55182.yaml
## CVE-2025-55183 - Server Function Source Code Disclosure
A source code disclosure vulnerability in Next.js React Server Components (RSC). A malicious HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function when the argument is stringified.
## CVE-2025-55184 - Server Components Denial of Service
Insecure deserialization vulnerability caused by unsafe payload deserialization in Server Function endpoints, letting unauthenticated attackers cause denial of service by hanging the server process.
### Detection
## Possible WAF bypass
## References
* [Vercel blog (Security Bulletin: CVE-2025-55184 and CVE-2025-55183)](https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183#patched-versions)
* []()