Summary
A vulnerability with a CVSS score of 10.0, tracked as CVE-2025-55182 in React and CVE-2025-66478 in Next.js, has been publicly disclosed, enabling unauthenticated remote code execution (RCE). The flaw resides in how React Server Components (RSC) decode payloads sent to Server Function endpoints, allowing attackers to execute arbitrary JavaScript on the server via specially crafted HTTP requests.
Sector Impact
Retail and hospitality organizations heavily reliant on modern web frameworks for customer-facing applications are at significant risk, as 39% of all cloud environments reportedly have publicly exposed Next.js instances that could be compromised. Successful exploitation could lead to total server takeover, exposing sensitive customer PII, payment data, and internal business logic. All RH-ISAC Core Members are advised to check for exposure and remediate if necessary.
Analysis
The vulnerability stems from a logical deserialization flaw within the react-server package’s handling of the RSC “Flight” protocol. When the server processes a malformed payload, it fails to correctly validate the structure, allowing attacker-controlled data to influence server-side execution logic. This results in the execution of privileged JavaScript code with a near 100% success rate in tested environments. Crucially, the vulnerability affects any application supporting React Server Components, even if it does not explicitly implement React Server Function endpoints.
The impact extends beyond React and Next.js to include any library bundling RSC, such as Vite, Parcel, React Router, RedwoodJS, and Waku. The attack vector is remote and unauthenticated, requiring only a crafted HTTP request to a target server running a default configuration.
Mitigation
While hosting providers are applying temporary mitigations, organizations must prioritize upgrading to patched versions (React 19.0.1, 19.1.2, 19.2.1 and Next.js 16.0.7, 15.5.7, etc.) immediately to secure their infrastructure.
