Two critical vulnerabilities have been disclosed in React Server Components (RSC) and Next.js App Router, enabling unauthenticated remote code execution (RCE). These flaws stem from unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary JavaScript code on the server. 

Any application supporting React Server Components or using Next.js App Router is potentially vulnerable. Libraries bundling RSC (e.g., Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, Waku) may also be affected. 

Risk Score: 

  • Severity: Critical (CVSS 10.0)  
  • Potential Impact:  
  • Full server compromise 
  • Data exfiltration 
  • Supply chain risk (due to widespread use of RSC in frameworks and plugins) 

Technical Details: 

  • Root Cause: Logical deserialization flaw in processing RSC payloads. 
  • Attack Vector:  
  • An unauthenticated attacker sends a crafted HTTP request to a Server Function endpoint. 
  • When deserialized by React, the payload executes arbitrary JavaScript on the server. 
  • Scope:  
  • Exploitation does not require authentication. 
  • Affects cloud environments significantly – approximately 39% of cloud environments contain vulnerable versions.

    IR CTA

Vulnerability: 

  • React Vulnerability: 
  • CVE: CVE-2025-55182 
  • CVSS Score: 10.0 (Critical) 
  • Affected Versions:  
  • react-server-dom-webpack 
  • react-server-dom-parcel 
  • react-server-dom-turbopack 
  • Versions: 19.0, 19.1.0, 19.1.1, 19.2.0 
  • Patched Versions: 19.0.1, 19.1.2, 19.2.1 
  • Next.js Vulnerability: 
  • CVE: CVE-2025-66478 
  • CVSS Score: 10.0 (Critical) 
  • Affected Versions:  
  • =14.3.0-canary.77, >=15, >=16 
  • Patched Versions:  
  • 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5 

Recommendations and Mitigations: 

Integrity360 recommends that if vulnerable versions are running to be patched immediately, as they pose a great risk. 

Immediate Actions:  

  • Upgrade React packages to patched versions:  
  • react-server-dom-webpack → 19.0.1+ 
  • react-server-dom-parcel → 19.1.2+ 
  • react-server-dom-turbopack → 19.2.1+ 
  • Upgrade Next.js to patched versions:  
  • 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5 

Additional Recommendations:  

  • Audit dependencies for RSC usage. 
  • Apply WAF rules to block suspicious HTTP requests targeting Server Function endpoints. 
  • Monitor for indicators of compromise (unexpected server-side JavaScript execution). 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us