TL;DR: React and Next.js are vulnerable to unauthenticated RCE in their default configuration with no prerequisites. Our exploit tests show that a standard Next.js application is built through create-next-app And built for production is vulnerable without any specific code modification by the developer.
A critical vulnerability in the React Server Components (RSC) “Flight” protocol has been identified, affecting the React 19 ecosystem and frameworks that implement it, specifically Next.js. Assigned CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this flaw allows unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and ease of exploitation, immediate patching is required.
To maintain ecosystem security while implementing the patch, we are withholding specific details for now; The details provided here are intended to help rescuers prioritize prevention and understand the risks. We will update this blog with additional information as it emerges.
The vulnerability fundamentally lies in the handling of the react-server package and the RSC “in flight” protocol. This is known as a logical deserialization vulnerability where the server processes the RSC payload in an insecure manner. When a server receives a specially crafted, malformed payload, it fails to correctly verify the structure. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.
In our experiment, this vulnerability had high fidelity in exploitation, with a near 100% success rate and can be leveraged for full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. This affects the default configuration of popular frameworks.
According to Viz data, 39% of cloud environments contain instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478.
| weak product | patch release |
|---|---|
| Response: 19.0, 19.1, 19.2 | 19.0.1, 19.1.2, and 19.2.1 |
| Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Any framework or library that bundles a react-server implementation is likely to be affected. This includes, but is not limited to:
next.js
white rsc plugin
Parcel RSC Plugin
React Router RSC Preview
RedwoodJS
Waku
1. Upgrade React and dependencies to hardened versions (see above). This is the only sure solution.
2. If you are using other RSC-enabled frameworks (Redwood, Vaku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.
Viz customers can use pre-built queries and advice in the Viz Threat Center to discover vulnerable instances in their environment.
<a href