Back to Blog
critical SEVERITY9 min read

CVE-2025-55182: Critical Next.js RCE via Unsafe Deserialization in RSC

A critical pre-authentication remote code execution vulnerability (CVE-2025-55182) was discovered in Next.js React Server Components, allowing attackers to execute arbitrary code on servers without any login or credentials required. The flaw stems from unsafe deserialization of untrusted data passed through the RSC pipeline. The vulnerability has been patched across multiple Next.js release lines, and all affected projects should upgrade immediately.

O
By Orbis AppSec
Published May 23, 2026Reviewed June 3, 2026

Answer Summary

CVE-2025-55182 is a critical unsafe deserialization vulnerability in Next.js React Server Components (CWE-502) that enables pre-authentication remote code execution. Attackers can execute arbitrary code by crafting malicious serialized objects passed through the RSC pipeline. The fix involves implementing strict type validation and secure deserialization patterns that reject untrusted payloads before instantiating objects.

Vulnerability at a Glance

cweCWE-502 (Deserialization of Untrusted Data)
fixImplement strict payload validation, type whitelisting, and secure deserialization patterns in the RSC serialization layer
riskPre-authentication remote code execution with full server compromise
languageJavaScript/TypeScript (Next.js)
root causeRSC pipeline deserializes untrusted client data without proper validation or type checking
vulnerabilityUnsafe Deserialization in React Server Components Pipeline

CVE-2025-55182: Critical Next.js RCE via Unsafe Deserialization in React Server Components

⚠️ Severity: CRITICAL | CVE: CVE-2025-55182 | Affected Component: Next.js React Server Components


Introduction

A critical security vulnerability has been discovered and patched in Next.js, one of the most widely used React frameworks in production web development. Tracked as CVE-2025-55182, this flaw enables pre-authentication remote code execution (RCE) through unsafe deserialization in the React Server Components (RSC) pipeline.

In plain terms: an unauthenticated attacker — someone with no account, no session, no credentials whatsoever — could potentially execute arbitrary code on your server simply by sending a crafted HTTP request. This is about as severe as vulnerabilities get.

If your application uses Next.js with React Server Components (which is the default architecture in the Next.js App Router), this vulnerability is directly relevant to you. Read on to understand what happened, how it works, and what you need to do right now.


What Is React Server Components (RSC)?

Before diving into the vulnerability, a quick primer helps set the stage.

React Server Components are a relatively new paradigm introduced in React 18 and deeply integrated into Next.js 13+ via the App Router. Unlike traditional React components that run in the browser, RSCs execute on the server and stream their output to the client.

The RSC protocol uses a specialized serialization format to transmit component trees, props, and data payloads between the server and the client. This serialization layer is what makes RSC powerful — and, in this case, what introduced a critical attack surface.

Client Browser
     |
     | HTTP Request (crafted payload)
     
Next.js Server
     |
     | RSC Deserialization Layer   ⚠️ Vulnerable point
     
Server-side Code Execution

The Vulnerability Explained

What Went Wrong: Unsafe Deserialization

Deserialization is the process of converting serialized data (like JSON, binary blobs, or custom formats) back into live objects or executable structures. It's a common operation in modern web frameworks — but it becomes extremely dangerous when the data being deserialized comes from an untrusted source and the deserialization logic doesn't properly validate or sanitize it.

CVE-2025-55182 falls squarely into this category. The RSC deserialization layer in affected versions of Next.js processed incoming serialized payloads in a way that allowed specially crafted inputs to trigger unintended code execution paths on the server.

The critical aspect here is the "pre-authentication" qualifier. Most RCE vulnerabilities require some level of access — an authenticated session, a specific role, or a particular application state. This vulnerability required none of that. Any network-accessible Next.js application was potentially exploitable by anyone who could send an HTTP request.

CWE Classification

This vulnerability maps to several Common Weakness Enumeration (CWE) categories:

  • CWE-502: Deserialization of Untrusted Data
  • CWE-94: Improper Control of Generation of Code (Code Injection)
  • CWE-20: Improper Input Validation

CWE-502 is particularly well-known in the security community — it's the same class of vulnerability responsible for high-profile exploits in Java ecosystems (Apache Commons Collections, Log4Shell's deserialization chain) and has been on the OWASP Top 10 list (A08:2021 – Software and Data Integrity Failures).

How Could It Be Exploited?

While a full proof-of-concept is not published here (responsible disclosure practices), the general attack pattern looks like this:

  1. Attacker identifies a Next.js application using the App Router with React Server Components enabled (the default for Next.js 13+).
  2. Attacker crafts a malicious serialized payload that exploits the unsafe deserialization logic in the RSC pipeline.
  3. Attacker sends the payload via an HTTP request to the application — no authentication, no session cookie, no special headers required.
  4. The server deserializes the payload, triggering the malicious code path.
  5. Arbitrary code executes in the context of the Next.js server process, potentially giving the attacker:
    - Access to environment variables and secrets (API keys, database credentials)
    - Ability to read/write files on the server
    - Ability to make outbound network requests (pivoting to internal services)
    - Full server takeover in worst-case scenarios

Real-World Impact Scenario

Imagine a SaaS company running their customer-facing dashboard on Next.js with the App Router. The application is publicly accessible. An attacker discovers the app is running a vulnerable version of Next.js.

Without logging in, the attacker sends a single crafted POST request. The server deserializes the payload and executes the attacker's code. Within seconds, the attacker has exfiltrated the .env file containing database credentials, third-party API keys, and signing secrets. The breach is silent — no login attempt in the logs, no failed authentication, nothing obviously suspicious.

This scenario is not hypothetical hyperbole. It's the exact class of impact that pre-auth RCE vulnerabilities enable, and it's why this CVE carries a CRITICAL severity rating.


The Fix

What Was Patched

The Next.js security team released patches across multiple active release lines to ensure broad coverage:

Previous Version Patched Version
15.0.x 15.0.5
15.1.x 15.1.9
15.2.x 15.2.6
15.3.5 15.3.6
15.4.x 15.4.8
15.5.x 15.5.7
16.0.x 16.0.7

The fix addresses the unsafe deserialization behavior in the RSC pipeline by implementing proper validation and sanitization of incoming serialized payloads before they are processed. The core principle of the fix aligns with the fundamental rule of deserialization security: never deserialize data from untrusted sources without strict type checking and validation.

How to Apply the Fix

Updating your Next.js dependency is straightforward. In your package.json:

Before (vulnerable):

{
  "dependencies": {
    "next": "15.3.5"
  }
}

After (patched):

{
  "dependencies": {
    "next": "15.3.6"
  }
}

Then run your package manager's install command:

# npm
npm install

# yarn
yarn install

# pnpm
pnpm install

After updating, verify the installed version:

npx next --version
# or
cat node_modules/next/package.json | grep '"version"'

Verifying the Fix with a Security Scanner

After upgrading, it's good practice to re-scan your dependencies to confirm the vulnerability is resolved:

# Using npm audit
npm audit

# Using Trivy (the scanner that detected this CVE)
trivy fs --scanners vuln .

# Using Snyk
snyk test

A clean scan after upgrading to a patched version confirms the fix is in place.


Prevention & Best Practices

CVE-2025-55182 is a powerful reminder of several security principles that every development team should internalize. Here's how to reduce your exposure to this class of vulnerability going forward.

1. Keep Dependencies Updated (Continuously)

The most effective defense against known CVEs is staying current with dependency updates. This sounds obvious, but dependency staleness is endemic in production codebases.

Recommendations:
- Enable Dependabot or Renovate Bot on your repositories to automate dependency update PRs.
- Subscribe to security advisories for your critical dependencies (Next.js, React, etc.) via GitHub Security Advisories or the npm security feed.
- Treat critical and high-severity CVE patches as P0 incidents, not routine maintenance.

# Example: .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10

2. Integrate Automated Vulnerability Scanning in CI/CD

Don't rely on manual checks. Integrate vulnerability scanning directly into your pipeline so that vulnerable code never makes it to production undetected.

# Example: GitHub Actions security scan
- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    scan-type: 'fs'
    scan-ref: '.'
    scanners: 'vuln'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'  # Fail the build on findings

3. Understand Deserialization Risks in Your Stack

If you work with frameworks that perform serialization/deserialization (Next.js RSC, tRPC, GraphQL with complex types, etc.), understand where untrusted data enters those pipelines.

Key questions to ask:
- Does this framework deserialize data from HTTP request bodies?
- Is there validation before deserialization occurs?
- What's the blast radius if deserialization is exploited?

The OWASP guidance on Insecure Deserialization is an excellent reference.

4. Apply Defense-in-Depth

Even with patched dependencies, defense-in-depth reduces the impact of zero-days and undiscovered vulnerabilities:

  • Run Node.js processes with least privilege — don't run your Next.js server as root.
  • Use network segmentation — your Next.js server shouldn't have unrestricted access to your database, internal APIs, or cloud metadata endpoints.
  • Implement a Web Application Firewall (WAF) — while WAFs can't stop all RCE exploits, they can block known exploit patterns and anomalous request shapes.
  • Monitor for anomalous behavior — unusual outbound connections, unexpected file system access, or process spawning from your web server process are red flags.
# Example: Running Next.js with reduced privileges
# In your Dockerfile
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
USER nextjs

5. Use a Software Bill of Materials (SBOM)

Knowing exactly what's in your application at all times is foundational to rapid vulnerability response. Tools like Syft can generate SBOMs automatically:

# Generate an SBOM for your Node.js project
syft dir:./frontend -o spdx-json > sbom.json

When a new CVE drops, you can immediately query your SBOM to know whether you're affected — no guesswork required.

6. Follow the OWASP Top 10 and Secure Coding Standards

This vulnerability maps directly to OWASP A08:2021 – Software and Data Integrity Failures, which covers insecure deserialization, CI/CD pipeline integrity, and auto-update vulnerabilities. Regularly reviewing your codebase against the OWASP Top 10 helps catch entire classes of vulnerabilities before they become CVEs.

Relevant resources:
- OWASP Top 10 A08:2021
- CWE-502: Deserialization of Untrusted Data
- NIST NVD: CVE-2025-55182


Timeline & Disclosure

Date Event
Discovery CVE-2025-55182 identified and reported
Patch Release Next.js patched versions released across all active branches
Public Disclosure CVE published in NVD
Automated Fix OrbisAI Security automated the upgrade via PR

The rapid patching across seven release lines simultaneously reflects the Next.js team's recognition of the severity. This kind of broad patch coverage is best practice for critical vulnerabilities — it ensures teams on older-but-supported branches aren't left exposed.


Conclusion

CVE-2025-55182 is a stark reminder of how foundational security principles — validate your inputs, never trust serialized data from untrusted sources, keep your dependencies current — apply even to cutting-edge framework features like React Server Components.

The key takeaways:

  1. Upgrade immediately to a patched version of Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7).
  2. Automate your dependency updates so you're not relying on manual vigilance for critical patches.
  3. Integrate vulnerability scanning into your CI/CD pipeline to catch issues before they reach production.
  4. Apply defense-in-depth — patching is necessary but not sufficient for a robust security posture.
  5. Understand deserialization risks in the frameworks and libraries you depend on.

Pre-authentication RCE vulnerabilities are among the most dangerous class of security issues that exist. The good news: the fix is a one-line version bump. There is no reason to run vulnerable code when the patch is this accessible.

Update your Next.js today. Your future self — and your users — will thank you.


This security fix was automatically detected and remediated by OrbisAI Security. Automated security tooling ensures vulnerabilities like CVE-2025-55182 are caught and patched rapidly, reducing your window of exposure.


Have questions about this vulnerability or need help assessing your exposure? Check the Next.js Security Advisories page for the official advisory and additional guidance.

Frequently Asked Questions

What is unsafe deserialization in Next.js RSC?

It's when the RSC pipeline converts serialized data from clients back into JavaScript objects without validating that the data structure is safe, allowing attackers to instantiate arbitrary classes and execute code.

How do you prevent unsafe deserialization in Next.js?

Validate all deserialized data against a whitelist of allowed types, implement strict schema validation, avoid deserializing untrusted data directly, and use secure serialization libraries that don't instantiate arbitrary classes.

What CWE is this vulnerability?

CWE-502: Deserialization of Untrusted Data, which covers all unsafe deserialization patterns across programming languages.

Is input sanitization enough to prevent this vulnerability?

No—sanitization of serialized strings is insufficient because the danger occurs at deserialization time when objects are instantiated. You need type whitelisting and validation before deserialization occurs.

Can static analysis detect this vulnerability?

Yes—static analysis tools can identify dangerous deserialization patterns, missing type validation in RSC handlers, and untrusted data flowing into deserialization functions. Semgrep and similar tools can flag these patterns automatically.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #43

Related Articles

critical

How buffer overflow in memcpy() happens in Node.js N-API bindings and how to fix it

A critical buffer overflow vulnerability was discovered in the GetBufferAsVector() function in examples_nodejs/src/zupt_napi.cpp, where memcpy() copied data from JavaScript Uint8Array buffers without proper bounds validation. This vulnerability could allow attackers to trigger memory corruption by providing maliciously crafted input arrays to the native Node.js module, potentially leading to crashes or arbitrary code execution.

critical

How buffer overflow happens in C sprintf() and how to fix it

A critical buffer overflow vulnerability was discovered in the ArrowTest() function in main/main.c, where sprintf() was writing formatted strings to a 24-byte buffer without bounds checking. By replacing sprintf() with snprintf() and specifying the buffer size, the vulnerability was eliminated, preventing attackers from corrupting heap memory through oversized width or height parameters.

critical

How buffer overflow happens in C libficus.c sprintf() and how to fix it

A buffer overflow vulnerability was discovered in `runtime/ficus/impl/libficus.c` where `sprintf()` was used to write a formatted compiler version string into a fixed-size stack buffer without any bounds checking. The fix replaces both vulnerable `sprintf()` calls with `snprintf()`, passing `sizeof(cver)` as the maximum write length to ensure the buffer can never be overrun. This change eliminates the risk of stack memory corruption that could be triggered by an attacker with control over the bu

critical

How buffer overflow via strcpy() happens in C Kconfig parsing and how to fix it

A critical buffer overflow vulnerability was discovered in the Linux kernel's Kconfig build system where `strcpy()` copied user-controlled symbol values into a fixed-size buffer without bounds checking. This flaw in `scripts/kconfig/symbol.c` could allow attackers to overwrite adjacent memory when processing malicious Kconfig files. The fix replaces the unsafe `strcpy()` with `memcpy()` using explicit length calculations.

critical

How buffer overflow in locale name processing happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in `intl/localename.c` where the `gl_locale_name_canonicalize()` function used unsafe `strcpy()` operations to copy locale names into fixed-size buffers without bounds checking. An attacker controlling locale environment variables could overflow the destination buffer, leading to memory corruption and potential code execution. The fix replaced `strcpy()` with bounded `strncpy()` calls to prevent buffer overruns.

critical

How buffer overflow happens in C strcpy() and how to fix it

A critical buffer overflow vulnerability was discovered in `sbin/restore/tape.c` where the `setinput()` function used unsafe `strcpy()` to copy user-controlled input into a fixed-size buffer without bounds checking. The fix replaces `strcpy()` with `strlcpy()`, which enforces a maximum copy length and prevents the overflow. This vulnerability could have allowed attackers to corrupt memory and potentially execute arbitrary code through long command-line arguments.