Critical Vulnerabilities in React and Next.js Enable Remote Code Execution
A critical security flaw has been identified in React and Next.js, two widely used frameworks for building web applications. This vulnerability allows remote attackers to execute malicious code on servers without requiring authentication, posing a significant threat to countless web applications globally.
Understanding the Vulnerability
The issue resides in React Server Components (RSC) and the Flight protocol, which facilitates data transmission between the browser and the server. The vulnerabilities are cataloged as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, both assigned the highest severity rating due to their potential for unauthenticated remote code execution.
Mechanism of Exploitation
Exploitation of this vulnerability is alarmingly straightforward. An attacker can send a specially crafted HTTP request to a vulnerable server, exploiting insecure deserialization within the RSC Flight payload handling. The server’s failure to properly validate the structure of incoming payloads allows attacker-controlled data to influence the server’s execution flow, leading to the execution of privileged JavaScript code.
Affected Versions and Severity
The following versions are affected:
– React: Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
– Next.js: Versions 14.3.0-canary, 15.x, and 16.x (App Router).
Each of these vulnerabilities carries a CVSS score of 10.0, indicating critical severity.
Scope of the Threat
The risk is particularly severe because default configurations are vulnerable. A standard Next.js application created with create-next-app and built for production without additional modifications remains susceptible to this exploit.
Research indicates that 39% of cloud environments contain vulnerable instances of React or Next.js. Notably, Next.js is present in 69% of the environments scanned, with the majority hosting public-facing applications. This widespread usage suggests that a substantial number of internet-exposed systems are at risk if not promptly patched.
Immediate Actions Required
To mitigate this critical vulnerability, developers and organizations must take the following steps:
1. Update React: React has released fixes in versions 19.0.1, 19.1.2, and 19.2.1 of the react-server-dom packages. Upgrading to these versions is imperative to secure applications against potential exploits.
2. Update Next.js: Next.js has issued hardened releases across supported branches. Ensuring that applications are running the latest patched versions is crucial.
3. Review Dependencies: Any framework or bundler incorporating the vulnerable React server implementation, such as React Router RSC, Vite and Parcel RSC plugins, RedwoodSDK, and Waku, are likely affected. Security teams should immediately upgrade all related RSC-enabled dependencies.
4. Implement Hosting Provider Mitigations: While hosting provider mitigations may reduce risk, they are not a substitute for patching. Until systems are fully updated, any exposed React Server Component deployment should be treated as high-risk for potential compromise.
Broader Implications
This vulnerability underscores the critical importance of maintaining up-to-date software and promptly addressing security advisories. The ease of exploitation and the widespread use of React and Next.js amplify the potential impact, making immediate action essential to protect sensitive data and maintain the integrity of web applications.
Conclusion
The discovery of these critical vulnerabilities in React and Next.js serves as a stark reminder of the ever-present threats in the digital landscape. Developers and organizations must remain vigilant, ensuring that their applications are secure by staying informed about vulnerabilities and applying patches without delay.
