Critical RCE Vulnerabilities in React and Next.js
8 days ago
- #vulnerability
- #react
- #security
- React and Next.js are vulnerable to unauthenticated RCE in default configurations.
- The vulnerability affects React 19 ecosystem and frameworks like Next.js, Vite RSC plugin, and others.
- CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) allow RCE via insecure deserialization in the RSC 'Flight' protocol.
- 39% of cloud environments are vulnerable according to Wiz Research data.
- Patched versions: React 19.0.1, 19.1.2, 19.2.1; Next.js (App Router) 14.3.0-canary, 15.x, 16.x.
- Immediate actions: Upgrade React and dependencies; check updates for other RSC-enabled frameworks.