Summary : Critical React & Next.js RCE Vulnerabilities identified; Patches released 

OEM	React & Next.js
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-55182, CVE-2025-66478
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Two critical vulnerabilities in React Server Components and the Next.js App Router allow attackers to run code on servers without authentication.

Attackers can craft malicious requests to trigger arbitrary server-side code execution in unpatched environments using default configurations.

Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478, found to be affected.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS	Fixed Version
React Server Components Logical Deserialization RCE Vulnerability	CVE-2025-55182	React RSC ecosystem (react-server-dom-webpack, parcel, turbopack)	Critical	10.0	v19.0.1, v19.1.2, v19.2.1
Next.js App Router RCE Vulnerability	CVE-2025-66478	Next.js (App Router)	Critical	10.0	v15.0.5+, v15.1.9+, v15.2.6+, v15.3.6+, v15.4.8+, v15.5.7+, 16.0.7+

Technical Summary 

The vulnerability occurs because React Server Components handle incoming data unsafely, allowing attackers to send specially crafted HTTP requests that the server may mistakenly treat as executable code. This can allow an attacker to remotely run JavaScript on the server and fully compromise cloud or container workloads.

The issue affects many deployments, even when applications don’t directly use Server Function endpoints.

Since frameworks – Next.js use RSC by default, the exposure is widespread. A standard Next.js app created with create-next-app is vulnerable without any custom code. 

CVE ID	Vulnerability Details	Impact
CVE-2025-55182	Logical deserialization flaw in React RSC; unsafe decoding of payloads into server-executable objects	Unauthenticated RCE, Data exposure, Server takeover.
CVE-2025-66478	Vulnerability in Next.js App Router where RSC endpoints accept malformed payloads enabling code execution	Remote code execution affects production deployments.

Remediation: 

Upgrade React RSC packages to fixed versions- 

• react-server-dom-* → 19.0.1 / 19.1.2 / 19.2.1 

Upgrade Next.js to patched versions- 

• Next.js → 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 

Conclusion: 
The React and Next.js vulnerabilities are serious because attackers can easily run code on servers without logging in.

This can allow full system compromise and major security risks. Organizations should treat this as an urgent issue, quickly apply all patches, and check their environments for affected versions. Immediate upgrades prevent server compromise, combine with dependency scanning and monitoring for robust protection. 

References: 

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components?s=09 

• https://nextjs.org/blog/CVE-2025-66478 

• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182