Severity
High
Analysis Summary
A critical security vulnerability has been identified in React and Next.js that allows unauthenticated remote attackers to execute malicious code on servers. The flaw specifically affects React Server Components (RSC) and the “Flight” protocol, which is used to transfer data between the browser and server. The vulnerabilities are tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, both rated CVSS high, the highest severity level. This means that attackers can potentially take full control of affected systems without any login credentials.
The root cause lies in insecure deserialization in the RSC “Flight” payload handling. When a server receives a maliciously crafted payload, it fails to properly validate the structure of the incoming data. As a result, attacker-controlled content can manipulate the server’s execution flow and execute privileged JavaScript code. Exploitation is straightforward, often requiring only a specially crafted HTTP request to achieve remote code execution, making default installations of Next.js and React highly vulnerable.
The vulnerability affects a wide range of versions. For React, the impacted packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0.0 through 19.2.0). For Next.js, the affected versions are 14.3.0-canary, 15.x, and 16.x (App Router). Research shows that Next.js is present in 69% of scanned environments, and nearly 40% of cloud setups contain vulnerable React or Next.js instances. This widespread presence, combined with the prevalence of public-facing applications, significantly increases the risk of compromise for internet-exposed servers.
To mitigate the risk, React has released patched versions 19.0.1, 19.1.2, and 19.2.1, while Next.js has deployed hardened releases across supported branches. Security teams are urged to immediately upgrade all vulnerable frameworks and related RSC-enabled dependencies, including plugins like Vite, Parcel RSC, RedwoodSDK, Waku, and React Router RSC. While some hosting provider mitigations may reduce exposure, they cannot replace patching, and any server running exposed React Server Components should be treated as high-risk until fully updated.
Impact
- Gain Access
- Code Execution
Indicators of Compromise
CVE
CVE-2025-55182
CVE-2025-66478
Remediation
- Upgrade React Server Components packages to patched versions.
- Upgrade Next.js to the latest stable release across supported branches (14.3.0+, 15.x, 16.x).
- Update all related RSC-enabled frameworks and plugins, including: React Router RSC, Vite RSC, Parcel RSC, RedwoodSDK, and Waku
- Review server configurations and ensure default setups are hardened, particularly for public-facing applications.
- Implement input validation and payload checks where possible to mitigate risks from malformed RSC “Flight” requests.
- Monitor network traffic for suspicious HTTP requests targeting React Server Components endpoints.
- Treat any exposed RSC deployment as high-risk until all patches and upgrades are applied.
- Coordinate with hosting providers to apply any additional mitigations they may offer, but do not rely solely on hosting-level protections.