This is an extremely important announcement for web developers and cybersecurity professionals. A groundbreaking security vulnerability has recently been identified in the React and Next.js frameworks that can lead to Remote Code Execution (RCE). This vulnerability has received the maximum CVSS score of 10.0 for cybersecurity risk.
The issue is tracked as CVE-2025-55182 for React (the upstream issue) and CVE-2025-66478 for Next.js applications (the downstream impact, though CVE-2025-66478 was later marked as a duplicate of CVE-2025-55182, it is still used in the context of Next.js advisories).
1. Vulnerability Summary and Root Cause
Executive Summary
A critical RCE vulnerability has been identified in the "Flight" protocol used by React Server Components (RSC). This flaw allows an unauthorized attacker to execute arbitrary code on the server, leveraging specially crafted HTTP requests that exploit insecure deserialization.
- Risk Level: CVSS 10.0 (Critical)
- Vulnerability Type: Remote Code Execution (RCE)
- Impact: Can be exploited nearly 100% reliably on vulnerable applications without any modification to default configurations.
- Root Cause: React Server Components (RSC) used insecure deserialization when processing HTTP requests, allowing attackers to unsafely call built-in Node.js modules. The Next.js App Router is affected because it embeds and relies on React’s RSC/DOM package for server-side processing.
2. Scope of Impact and Affected Versions
Millions of applications worldwide may be affected, as both React and Next.js are foundationally used across various enterprise environments.
Vulnerable Versions
This vulnerability affects the React 19 ecosystem and all frameworks that depend on its vulnerable RSC implementation.
| Framework | Vulnerable Version Range | Important Notes |
|---|---|---|
| React Server | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | Includes react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. |
| Next.js (with App Router) | 15.0.0 – 15.0.4, 15.1.0 – 15.1.8, 15.2.0 – 15.5.6, 16.0.0 – 16.0.6 | Also includes 14.3.0-canary.77 and later Canary releases. |
| Other Frameworks |
react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk, and RedwoodJS (RSC mode) |
Other frameworks relying on the vulnerable React RSC implementation may also be affected. |
Safe Versions and Configurations
The following versions and configurations are not affected by this vulnerability:
| Framework | Safe Version | Notes |
|---|---|---|
| React Server | 19.0.1, 19.1.2, 19.2.1 | Officially patched versions. |
| Next.js | 13.x, 14.x (Stable), 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 | Next.js applications using the Pages Router or the Edge Runtime are not affected. |
3. Detection and Verification
To verify if your application is vulnerable, check for the following criteria:
- RSC Usage: Verify if your project utilizes React Server Components (RSC).
-
Framework Dependencies: Check if your application uses key dependencies like
next,react-router,waku,@parcel/rsc,@vitejs/plugin-rsc, orrwsdk. -
Code Inspection: Look for the
'use server'or'use client'directives in your code, which indicate RSC usage. -
Version Check: If you are using RSC, ensure your
nextorreactversion is outside of the vulnerable ranges listed above.
4. Required Action and Mitigation
The only complete protection against this RCE vulnerability is to upgrade immediately to the official patched versions. No configuration changes will fully mitigate the risk.
Official Upgrade
Upgrade to the secure version using the commands below:
| Release Line | Secure Version | Command |
|---|---|---|
| Next.js 15.0.x | 15.0.5 | npm install next@15.0.5 |
| Next.js 15.5.x | 15.5.7 | npm install next@15.5.7 |
| Next.js 16.0.x | 16.0.7 | npm install next@16.0.7 |
| Next.js 15.x (Canary) | 15.6.0-canary.58 | npm install next@15.6.0-canary.58 |
React upgrade download link: https://github.com/facebook/react/releases
Next.js upgrade download link: https://github.com/vercel/next.js/tags
Temporary Mitigation (If Upgrade is Impossible)
- Disable React Server Components: Temporarily turn off RSC features in configuration, if business logic allows.
- Restrict Access to Server Function Endpoints: Use Web Application Firewalls (WAF) or other network security measures to limit external access.
5. Vulnerability Discovery and Acknowledgment
Special thanks to Lachlan Davidson for responsibly discovering and reporting this critical security vulnerability. Their efforts help keep the developer community safe. Technical details are limited in this advisory to protect developers who have not yet upgraded.
Security first. Upgrade your applications immediately to stay protected.
References:
- https://nextjs.org/blog/CVE-2025-66478 (Next.js)
- https://nsfocusglobal.com/react-next-js-remote-code-execution-vulnerability-cve-2025-55182-cve-2025-66478-notice/
- https://www.kaspersky.com/blog/react4shell-vulnerability-cve-2025-55182/54915/ (kaspersky.com)
Top comments (0)