Critical security vulnerability in React Server Components allows unauthenticated arbitrary code execution.
Vulnerability Details:
- Component: React Server Components (RSC)
- CVE: CVE-2025-55182
- Issue:
requireModulefunction fails to validate export name, allowing access to global Function constructor.
Impact:
- Attackers can execute arbitrary code via crafted client requests.
Mitigation:
- Update React Server Components to the latest patched version.
- Review and restrict client request handling.