A newly disclosed critical vulnerability in React Server Components (RSC) tracked as CVE-2025-55182 has put thousands of production applications at risk.
Because React Server Components execute on the server, any flaw in RSC has server-level consequences: remote code execution, data exposure, unauthorized access, and service hijacking.
Frameworks built on top of RSC, especially Next.js 15 and 16, are directly impacted through CVE-2025-66478, making this one of the most serious React ecosystem vulnerabilities in years.
If you are using React 19, Next.js 15–16, or any RSC-powered framework, it is critical to patch immediately.
But beyond just patching, our real-world experience cleaning an infected production server showed exactly how dangerous outdated systems can be.
Let’s break it down.
What Is the React Server Components Vulnerability (CVE-2025-55182)?
React Server Components allow React code to run on the server and stream UI updates to the client.
This gives developers a powerful server-side rendering and data-fetching layer, but it also creates an extended attack surface.
CVE-2025-55182 is a critical flaw in the RSC execution pipeline.
Security researchers found that attackers can manipulate:
- Server Component serialization
- Data hydration
- Request boundaries
- Component lifecycle behaviors
This could allow:
- Remote code execution
- Sensitive data exfiltration
- Template injection
- Server-side state manipulation
Next.js inherits this vulnerability through its RSC integration, tracked as CVE-2025-66478.
Impacted Versions and Required Updates
Next.js Affected Versions:
All versions between 15 and 16.
Patch Versions:
Update immediately to:
- 15.0.5
- 15.1.9
- 15.2.6
- 15.3.6
- 15.4.8
- 15.5.7
- 16.0.7
React 19 Affected Versions:
All React 19 builds before patched releases.
React Patch Versions:
- 19.0.1
- 19.1.2
- 19.2.1
If you use any RSC-dependent framework, upgrade React immediately.
If your Server Already Compromise ? (In Linux)
Essential Malware Investigation & Cleanup Commands
These commands were used during the actual infection recovery process. They can help you track down malicious processes, identify rogue systemd services, and detect auto-restarting malware.
Kill a Malicious Process by Name
If you detect an unknown process such as "fghgf":
pkill -f fghgfThis kills all running processes matching that name or command.
Watch File Creation in Real-Time (excellent for catching malware)
Malware often drops files into /tmp, /dev, or custom folders.
inotifywait -m /dev -e createYou can change /dev to /tmp or any directory you want to monitor.
Find Which Executable Created a Suspicious Device/File
If /dev/fghgf existed and you want to know which process owns it:
lsof /dev/fghgf
This reveals the PID, executable name, and process owner.
Find the Parent Process (PPID) to Identify How Malware Started
Replace the PID number (33458) with your suspicious PID:
ps -o pid,ppid,user,cmd -p 33458
If PPID = 1, the malware was started by systemd → check systemd services immediately.
Inspect systemd Services for Malware Startup Scripts
List services under sysinit:
ls -al /etc/systemd/system/sysinit.target.wantsShow all custom services:
ls -al /etc/systemd/system/*.serviceSearch all service files for ExecStart (common malware insertion point):
grep -R "ExecStart" -n /etc/systemd/system/*.serviceFind Recently Modified Systemd Service Files
find /etc/systemd/system -type f -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort -r | head -n 30This gives you the latest modified services, often the malware entry point.
Identify Which systemd Service Owns a Running Process
cat /proc/104125/cgroupStop the service immediately
This halts the running malicious process:
systemctl stop <service-name>
Disable the service so it does NOT start on boot
systemctl disable <service-name>Delete the systemd service file
After stopping & disabling the service, remove the service definition:
rm -f /etc/systemd/system/<service-name>.service
Reload systemd to apply changes
systemctl daemon-reload