security next-js rce server-functions cve-2025-55182

React Server Functions RCE requires immediate patching

CVE-2025-55182 exploits unauthenticated RSC protocol in Next.js 15–16 and React 19.0–19.2.0; upgrade to patched versions or deploy to Deno Deploy for runtime mitigation.

Summary

Any Next.js App Router deployment accepting RSC requests is exploitable for arbitrary server code execution without authentication. Remediation is a single version bump with no breaking changes.

Why it matters

Any Next.js App Router deployment accepting RSC requests is exploitable for arbitrary server code execution without authentication. Remediation is a single version bump with no breaking changes.

Implementation verdict

Replaces: current Next.js/React versions. Requires: immediate upgrade to Next.js 16.0.7+, 15.5.6+, or react-server-dom packages 19.2.1+. Ready now—no migration complexity. Deno Deploy users protected by runtime mitigation but should still upgrade.

Sources

1.unauthenticated remote code execution (RCE) vulnerability in React Server Functions
2.This vulnerability exists in all versions of React's "Server Function" protocol released to date (React 19.0, 19.1, and 19.2.0)
3.All Next.js applications using App Router, on Next 15 or Next 16
4.Next.js 16: update next to 16.0.7 or later
5.Next.js 15: update next to 15.5.6 or later

Dev Signal

Get briefs like this in your inbox — free, 3x a week.

100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.

Read the full issue →All briefs