Critical vulnerabilities found on specific versions of React Server Components and Next.js, creating challenges for developers. Lachlan Davidson, a GitHub user, reported an unauthenticated remote code execution vulnerability in React Server Components on November 29, 2025. Later, Meta and Vercel publicly revealed the vulnerabilities in React and Next.js as CVE-2025-55182 and CVE-2025-66478 on December 3, 2025.
These weaknesses can lead to the authorization of unauthenticated remote code execution in default framework configurations. Vulnerabilities can arise when frameworks are used for certain server-side use cases. As per expert-led testing, new Next.js applications built with create-next-app are also vulnerable without any modifications in code.
Even if an application supports React Server Components and doesn’t integrate a React Server Function endpoint, it is still open to exploits. Since Next.js depends on React, the vulnerable protocol enables untrusted inputs, influencing server-side execution behavior. It allowed attackers to create requests, triggering unintentional server execution paths in certain conditions.
Vulnerability in React Server Components (CVE-2025-55182):
The React Server Components framework is generally utilized for creating user interfaces. It faced the vulnerability of CVE-2025-55182 with a severity score (CVSS) of 10.0, which is considered to be critical.
Affected Packages are-
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Affected React Versions are-
- 19.0.0
- 19.1.0
- 19.1.1
- 19.2.0
Patched Version-
- React 19.2.1
Vulnerability in Next.js (CVE-2025-66478):
Next.js is a web development framework used for creating user interfaces. It depends on React Server Components. The vulnerability in the framework was primarily considered to be a duplicate of React, but later it was termed as CVE-2025-66478.
Affected Next.js Versions are-
- Next.js 15.x
- Next.js 16.x
- Next.js 14.3.0-canary.77 and later canary releases
Patched Versions are-
- 15.0.5
- 15.1.9
- 15.2.6
- 15.3.6
- 15.4.8
- 15.5.7
- 16.0.7
How to Mitigate these Vulnerabilities and Secure Workloads?
Update React:
Refrain from using the affected versions of React and install patched versions only, like React 19.2.1.
Update Next.js:
Alongside React, you also need to upgrade Next.js to a patched version to mitigate the vulnerabilities. If anyone is using older versions than 15.0.5, it’s time to upgrade.
Update RSC-Driven Plugins and Bundlers:
Users also need to ensure updating RSC-enabled plugins, such as Vite RSC, Parcel RSC, React Router RSC preview, RedwoodSDK, and Waku.
Protect with Security Tools:
Integrate a security tool to verify that all vulnerable versions are upgraded to the patched ones. Alongside that, such tools help ensure the security of transitive dependencies.
Dive into the buzzing technology and security headlines, with SecureITWorld!
Also Read:
Key Pillars of Google’s Vulnerability Management System
Google Chrome Zero Day Vulnerability: All You Need to Know About
VoIP Security Vulnerability and Best Practices for Safer Communication
