A critical security flaw in React and Next.js could let remote attackers run malicious code on servers without logging in.
The issue affects React Server Components (RSC) and the “Flight” protocol used to send data between the browser and the server.
The vulnerabilities are tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js. They are rated at the highest severity level and allow unauthenticated remote code execution.
How the Vulnerability Enables Remote Code Execution
In many cases, an attacker only needs to send a specially crafted HTTP request to exploit a vulnerable server. The core problem is insecure deserialization inside the RSC “Flight” payload handling.
When the server receives a malicious payload, it fails to correctly verify its structure. As a result, attacker-controlled data can affect the server’s execution flow and cause privileged JavaScript code to run.
| CVE ID | Product | Vulnerable Versions | CVSS Score |
|---|---|---|---|
| CVE-2025-55182 | react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 10.0 |
| CVE-2025-55182 | react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 10.0 |
| CVE-2025-55182 | react-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 10.0 |
| CVE-2025-66478 | Next.js | 14.3.0-canary, 15.x, 16.x (App Router) | 10.0 |
The risk is serious because default setups are vulnerable. A standard Next.js app created with create-next-app and built for production with no extra changes can still be attacked.
Testing has shown the exploit to be highly reliable, with near‑100% success in lab conditions. Wiz Research reports that 39% of cloud environments contain vulnerable instances of React or Next.js.
Next.js appears in 69% of environments they scanned, and most of those have public-facing applications. This means a large number of internet-exposed systems may be at risk if not patched.
React has released fixes in versions 19.0.1, 19.1.2, and 19.2.1 of the react-server-dom packages.
Next.js has also shipped hardened releases across supported branches. Any framework or bundler that includes the vulnerable React server implementation.
Such as React Router RSC, Vite and Parcel RSC plugins, RedwoodSDK, and Waku, are likely affected. Security teams are urged to immediately upgrade React, Next.js, and all related RSC-enabled dependencies.
Hosting provider mitigations may reduce risk, but are not a replacement for patching. Until systems are fully updated, any exposed React Server Component deployment should be treated as high-risk of compromise.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
