On December 3, 2025, the React Team disclosed a critical remote code execution (RCE) vulnerability affecting React Server Components, commonly used in modern Next.js deployments. An unauthenticated attacker could craft a malicious HTTP request that, when deserialized by React, results in remote code execution on the server. Additional technical details will be released once the upstream fix rollout is complete.

Learn more about what we know so far, the potential impact, and what security teams should be doing next in this Bugcrowd Security Flash with Trey Ford and Matt Held. 

Don’t miss our updated security flash recorded on Dec 9 at 8pm ET. In this edition, Casey Ellis and Matt Held outline what we’ve learned about this vulnerability in the past week. 

CVE-2025-55182 potential impact

While this vulnerability is significant, it is not on the scale of Log4j. Early cloud telemetry suggests exposure in approximately one-third of monitored environments: serious, widespread, and urgent, but not internet-wide.

We’ll continue to update this blog as more information becomes available. 

Bugcrowd’s response

As soon as the vulnerability was disclosed, Bugcrowd Security initiated our zero-day response process. Here’s what we’ve done so far and what customers can expect from us:

  • A dedicated triage group activated—We have established a focused triage team to process all submissions related to CVE-2025-55182, which will be handled as a priority, regardless of program tier. 
  • Validating submissions across customer assets—We have already received and validated multiple proof-of-concept reports demonstrating real-world impact across our customer base.
  • Prioritization rules for this zero-day—To ensure timely and accurate support, we are applying the following temporary guidelines:
    • We will triage any submission that demonstrates a real underlying vulnerability, even if the exploit is not fully weaponized.
    • This includes reports where a researcher provides a reproducible malicious HTTP request, such as reliably triggering the known 500 Internal Server Error signature associated with this CVE.
    • We will triage all assets shown to be vulnerable where reproduction is appropriate and in scope.
    • If safe reproduction is not possible (e.g., unclear asset ownership, out-of-scope systems), we will return the submission to you for review.
  • Customization based on your internal response—If your teams already have detection and remediation efforts underway for CVE-2025-55182, you may contact us to adjust how we handle these reports in your queue. This may include at your request,  pausing or filtering submissions related to this CVE to allow your security team to focus on internal remediation.
  • Patches and mitigations—The React Team has released patched versions of the affected React Server Components packages, you can access additional details here.

We strongly recommend upgrading to these versions as soon as possible and validating any downstream packages in your dependency chain.

Next steps and resources

Bugcrowd treats zero-day events like this as moments when customers need clear, fast, and actionable visibility. That’s why we mobilized our global hacker community and internal response teams when this vulnerability was disclosed. We remain committed to providing every customer with the intelligence and support they need to stay ahead of evolving threats.

If you have any questions or require adjustments to how we process CVE-related submissions, please contact your Bugcrowd Customer Experience Manager.

Here are a few additional resources for more information:

Tags: