A step-by-step walkthrough covering discovery, validation and real-world exploitation in React and Next.js applications
Press enter or click to view image in full size
Introduction
CVE-2025–55182 is a critical security vulnerability affecting applications built with React Server Components (RSC), particularly those using Next.js with the App Router. Due to its high impact and low exploitation effort, it carries the maximum CVSS score of 10.0. In this guide, I will explain how this vulnerability works, show practical methods to identify affected targets and demonstrate both manual and automated approaches for testing CVE-2025–55182 safely and effectively.
How Does It Work?
The root of the issue is a flaw in how the server handles data in the “Flight” protocol, which is the communication method for React Server Components.
- React Server Components (RSC): This is a feature designed to speed up web applications by letting parts of the user interface (components) render on the server instead of the user’s browser.
- The Flaw (Insecure Deserialization): When data travels between the client (browser) and the server using the Flight protocol, the server…