A significant security vulnerability has been identified in React Server Components (RSC), which could lead to unauthenticated remote code execution. The flaw, tracked as CVE-2025-55182, has been assigned a maximum CVSS score of 10.0. This vulnerability arises from the way React decodes payloads sent to React Server Function endpoints, potentially allowing an attacker to execute arbitrary JavaScript code on the server.
Even applications that do not utilize React Server Function endpoints could be at risk if they support React Server Components. The cloud security firm Wiz reported that the root cause of this vulnerability is logical deserialization, which occurs due to unsafe processing of RSC payloads. Attackers could craft malicious HTTP requests targeting any Server Function endpoint, leading to exploitation when React deserializes the request.
The affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of several npm packages, such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The issue has been addressed in subsequent versions: 19.0.1, 19.1.2, and 19.2.1. The flaw was discovered by New Zealand-based researcher Lachlan Davidson and reported on November 29, 2025.
In addition, Next.js using App Router is also affected by this vulnerability, which has received the identifier CVE-2025-66478 and shares the same CVSS score of 10.0. The vulnerable versions include those greater than or equal to 14.3.0-canary.77, as well as versions 15 and 16. The patched versions for Next.js are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
Wiz reported that approximately 39% of cloud environments may contain instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Given the gravity of this issue, users are strongly advised to apply the necessary updates promptly to ensure adequate protection.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.