React Server Components RCE PoC – Vulnerable Stack
This Next.js application intentionally uses vulnerable React Server Components (RSC) and Next.js versions in order to test how well security scanners can detect the related remote code execution (RCE) vulnerabilities.
Affected Vulnerabilities
- CVE-2025-55182 – React Server Components “Flight” protocol unsafe deserialization in the
react-server-dom-*packages. - CVE-2025-66478 – This CVE is a duplicate of CVE-2025-55182 and rejected.
Environment purpose
This container is designed only for:
- Testing SCA and container scanners against known-vulnerable React / Next.js RSC versions
- Reproducing detection rules and signatures in a controlled lab
Do not expose this container to the public internet, do not use it with real user data, and do not deploy it in production.
Key vulnerable components
- React RSC packages:
react-server-dom-webpack19.0.0 / 19.1.0 / 19.1.1 / 19.2.0react-server-dom-parcel19.0.0 / 19.1.0 / 19.1.1 / 19.2.0react-server-dom-turbopack19.0.0 / 19.1.0 / 19.1.1 / 19.2.0
- Next.js:
- All stable 15.x
- All stable 16.x (prior to patched 16.0.7)
- Canary builds from 14.3.0-canary.77 and above
References
- Snyk / DEV post: Security Advisory: Critical RCE Vulnerabilities in React Server Components & Next.js
- Snyk advisory –
react-server-dom-webpack: SNYK-JS-REACTSERVERDOMWEBPACK-14173285 - Snyk advisory –
react-server-dom-turbopack: SNYK-JS-REACTSERVERDOMTURBOPACK-14173287 - Snyk advisory –
react-server-dom-parcel: SNYK-JS-REACTSERVERDOMPARCEL-14173286 - Snyk advisory – Next.js RSC integration: SNYK-JS-NEXT-14173355