RSC Vulnerability Next.js: React Security Incident Review

Zero-Day CVE-2025-55182: How React 19 & Next.js 15–16 Servers Were Exposed (Case Study)

RSC vulnerability Next.js

Recently, one of our clients’ VPS servers was silently compromised due to a React Server Components vulnerability (CVE-2025-55182). It affected React 19 and frameworks like Next.js running versions 15 to 16.

While the initial issue is tied to the React ecosystem, the intrusion didn’t stop there; it quickly began affecting other Node.js applications on the same server. Processes were disguised, critical commands were killed, and CPU usage spiked, instantaneously.

This guide walks through how we detected the issue, cleaned the server, and implemented best practices to prevent similar attacks. If you’re running Next.js, React, or other Node.js apps on a VPS, this is for you.

RSC vulnerability Next.js – Symptoms Observed on the Client Server

Node.js processes behaving unexpectedly
PM2 processes running from /tmp
Unusual CPU spikes on otherwise idle servers
Commands like curl failing silently
Hidden scripts in /tmp or /dev directories
Application restarts without configuration changes

Pro tip: Vulnerabilities in frameworks like React can become entry points for attackers, allowing them to spread malware to other apps sharing the same server environment.

RSC vulnerability Next.js – What We Found

After investigating the server, we uncovered multiple malicious artifacts:

Hidden binaries and scripts

Located in /tmp, /var/tmp, and user home directories
Disguised as legitimate system or Node.js files
Several binaries were obfuscated and designed to relaunch themselves if removed

Malicious Node.js/PM2 processes

PM2 environment hijacked via /tmp/.pm2
Rogue Node.js scripts running hidden tasks unrelated to any deployed app
Attackers used PM2 to maintain persistence and respawn malicious processes after termination

Persistence mechanisms

Cron jobs executing malicious scripts periodically
Modified startup scripts and local packages
Some cron entries were masked with names resembling system utilities

Supply-chain contamination

Compromised npm dependencies installed in client apps
Vulnerable React Server Components allowed initial access
Lateral movement allowed access to other Node.js apps on the same VPS

Cryptomining activity (critical finding)

The server was consistently throttling at 95–100% CPU usage even during low-traffic periods
Malicious processes were mining Monero (XMR) in the background
The miner was configured to automatically reconnect to a remote mining pool if killed

Even a single vulnerable Next.js or React app can be a bridge for attackers to infiltrate other apps and the overall server environment. Isolation and monitoring are key.

Understanding the CVE: Why This Vulnerability Exists

CVE-2025-55182 is a vulnerability in React Server Components that allows attackers to execute arbitrary code on the server hosting a vulnerable app. The root cause lies in how React Server Components handle serialized data and component rendering on the server:

Server Components can accept props and serialized input from the client.
In vulnerable versions (React 19 prior to 19.0.1), improper input validation and deserialization allowed attackers to inject malicious payloads.
When a Next.js or Node.js server renders these components, the payload can execute arbitrary Node.js commands, giving attackers a foothold on the server.
Once inside, attackers can move laterally to other applications or install persistent malware.

Key takeaway: Even if the vulnerability is “just” in a React component, it can become a full server compromise if developers don’t validate input, isolate apps, or keep dependencies updated.

By understanding the mechanism of the vulnerability, you can:

Implement environment isolation to prevent one compromised app from affecting others.

Sanitize and validate inputs for server-rendered components.

Apply updates promptly to frameworks and dependencies.

RSC vulnerability Next.js – Detection Steps (Safe Checks)

1. Scan for suspicious processes

2. Check temporary directories for hidden files

3. Verify cron jobs

4. Check PM2 environment

5. Inspect npm dependencies

Look for unknown or unmaintained packages in package.json
Remove or replace packages flagged by npm audit

Removal and Cleanup

1. Terminate rogue processes

pkill -f “/tmp/.pm2|node”

2. Delete hidden binaries and scripts

rm -rf /tmp/* /var/tmp/* /dev/fghgf

3. Remove persistence mechanisms

rm -f /etc/cron.d/malicious*

4. Reset PM2 environment

PM2_HOME=/root/.pm2 pm2 kill
rm -rf /tmp/.pm2

5. Reinstall clean npm dependencies

rm -rf node_modules
npm install

After cleanup, all apps were rebuilt from verified sources and tested thoroughly before going live.

RSC vulnerability Next.js – Next.js / React Updates to Apply

If your apps use vulnerable versions, update immediately:

Next.js (affected 15–16 versions): update to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7
React Server Components: update to 19.0.1, 19.1.2, or 19.2.1

Keeping frameworks updated prevents attackers from exploiting known vulnerabilities to move laterally across your server.

Best Practices to Protect Your VPS

Isolate applications with Docker or separate user environments
Lock PM2 home directories to a secure path (/root/.pm2)
Regularly audit npm packages with npm audit or yarn audit
Monitor suspicious processes and CPU spikes daily
Block known malicious IPs at the firewall level
Automate security checks via scripts and log monitoring
Apply updates promptly for all frameworks and server software

Teaching moment: Even a small vulnerability in one Node.js app can cascade into full server compromise if not contained.

Daily and Weekly Security Checks

Daily:

uptime
ps aux –sort=-%cpu | head -10
ps aux | grep node
find /tmp -maxdepth 1 -name “*.tmp”

Weekly:

Run full security audit scripts
Check logs for unusual activity
Verify PM2 environment and npm package integrity

Conclusion

This incident demonstrates how a React Server Components vulnerability can be more than a single-app issue. It can compromise multiple applications and the entire VPS. By combining framework updates, process monitoring, dependency audits, and strict environment isolation, you can significantly reduce risk.

Staying proactive and teaching your team about server hygiene and secure Node.js practices ensures your Next.js and React applications remain safe, even when vulnerabilities are discovered.

About The Orange Club: The Orange Club is a Dubai-based agency specializing in high-performance web development, with deep expertise in Next.js, React, and modern full-stack JavaScript ecosystems.

We build, manage, and secure applications for clients across diverse industries, which means we regularly work with complex server environments where multiple apps share the same infrastructure.

This experience gives us a front-row seat to emerging vulnerabilities like the recent React Server Components issue and equips us to step in quickly, diagnose problems, and implement robust solutions that keep client platforms fast, secure, and future-ready.

The Orange Club