Critical RCE Vulnerability in React Server Components (CVE-2025-55182) Enables Unauthenticated Remote Code Execution

A critical vulnerability (CVE-2025-55182, CVSS score 10.0) affects React Server Components (RSC) and allows unauthenticated remote code execution (RCE). Discovered in the OopsSec Store project—a deliberately vulnerable React store—it exploits a deserialization flaw in React's Flight protocol. By manipulating client properties, an attacker can access the Function object via the prototype chain and execute arbitrary code on the server. The exploit was demonstrated by reading the .env.local file, revealing secrets such as the flag OSS{r3act2sh3ll}. The vulnerability was published on December 3, 2025, and was massively exploited within hours, including by state-sponsored groups. Patches require updates to React and Next.js.