Security researchers on Wednesday warned about a critical vulnerability in React Server Components (RCS) and Next.js.
The vulnerability, tracked as CVE-2025-55182, enables unauthenticated remote-code execution, stemming from unsafe deserialization of payloads that are sent to React Server Function endpoints.
While the flaw originated in the React open source software’s RCS protocol, it also has a downstream impact on Next.js applications, with a vulnerability tracked as CVE-2025-66478. The issue is considered extremely dangerous, and both vulnerabilities have a severity score of 10.
Researchers at Wiz said during their experimentation, they found the flaw had “high fidelity” with nearly a 100% success rate, It could be leveraged to achieve full remote code execution, according to a blog published Wednesday.
What also concerns security researchers is that configurations are vulnerable by default. The flaw requires immediate patching by users. React and Vercel each issued guidance for updating the software.
React, originally developed by Facebook, is a Javascript library used for building user interfaces and is one of the most widely used web application frameworks in the world.
“While details remain limited, and exploitation requires few pre-requisites, there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analyzing now-public patches,” Benjamin Harris, founder and CEO of watchTowr, told Cybersecurity Dive.
Security researcher Lachlan Davidson reported the flaw to React on Nov. 29 through the Meta Bug Bounty program.
Researchers at Wiz pointed out that 40% of cloud environments contain vulnerable instances of Next.js or React.