New disclosure of two high-severity vulnerabilities affecting React Server Components (RSC) and the Next.js framework. These flaws allow an unauthenticated attacker to achieve Remote Code Execution (RCE) on vulnerable servers with a CVSS score of 10.0 (Critical).
The Threat
A critical security flaw has been identified in the React Server Components’ “Flight” protocol, a communication mechanism used for data serialization between the server and the client in the React 19 ecosystem.
Vulnerability: Insecure deserialization of untrusted input in the RSC payload handling logic.
Impact: Unauthenticated Remote Code Execution (RCE). An attacker can craft a malicious HTTP request to execute arbitrary code on the server, even in default configurations with no special code implemented by the developer.
CVE IDs:
- CVE-2025-55182 (Core React Server Components packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack).
- CVE-2025-66478 (Next.js, which inherits the flaw through its use of the vulnerable React packages in its App Router implementation).
This vulnerability is considered trivial to exploit and affects a broad array of applications, as React and Next.js are widely deployed across the internet. Security researchers have confirmed the exploit has a near-100% success rate in testing. Both React and NextJS have been fixed for now.
Affected Versions and Immediate RemediationThe only definitive mitigation is to upgrade to the patched versions immediately. Even applications that do not explicitly use React Server Function endpoints may be vulnerable if they are using a framework that supports React Server Components.
| Affected Component | Vulnerable Versions | Patched Versions |
| Core React Packages (RSC) | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| Next.js (App Router) | All 15.x and 16.x versions (prior to fixes) | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Action Required for Next.js Users:
Upgrade to the latest patched version within your current release line.
Bash# Example for Next.js 16.x npm install next@16.0.7 # Example for Next.js 15.x npm install next@15.5.7
Note: If you are on a canary release starting from 14.3.0-canary.77, you are strongly advised to downgrade to the latest stable 14.x release or upgrade to the patched canary release (14.3.0-canary.88).
Technical Details
The vulnerability is rooted in a fundamental design weakness known as insecure deserialization (CWE-502).
- The Mechanism: React Server Components (RSC) use the React Flight protocol for serializing JavaScript object graphs between the client and the server. When an HTTP request is sent to a Server Function endpoint (a feature often enabled by default in Next.js App Router projects), the server attempts to deserialize the incoming payload.
- The Exploit: An attacker can manipulate this serialized payload to inject specially crafted data. Due to insufficient validation, the deserialization logic is tricked into resolving module exports using the attacker’s data, which can result in the server executing arbitrary JavaScript code with the permissions of the Node.js process.
Leading cloud providers and CDNs, including Vercel and Netlify, have deployed temporary Web Application Firewall (WAF) rules to mitigate the exploit for their hosted customers. However, these are only stop-gap measures, and all developers must upgrade their codebase to the fixed versions to permanently eliminate the risk.
