A pair of critical vulnerabilities, CVE-2025-55182 in React and CVE-2025-66478 in Next.js, are driving urgent patching across organizations after a working proof-of-concept (PoC) exploit was released on Dec. 4.
Both CVEs have a CVSS of 10.0 and refer to the same underlying issue, an insecure deserialization flaw in the React Server Components (RSC) “Flight” protocol that can enable unauthenticated remote code execution (RCE).
The separate Next.js CVE exists because the framework bundles its own React implementation, causing many dependency scanners to miss the React CVE alone.
The vulnerability affects default configurations in several frameworks such as Next.js, meaning that even applications created with standard tooling may be exposed without any developer changes.
Wiz Research reported on Wednesday that 39% of cloud environments contain vulnerable React or Next.js versions, highlighting extensive potential impact.
Public Exploit Boosts Attack Surface Awareness
The aforementioned RCE exploit (and technical analysis) published on GitHub on Thursday significantly increased the likelihood of scanning and real-world exploitation.
React and Vercel released coordinated patches on Dec. 3, but researchers caution that automated scanners may produce misleading results.
Some security providers deployed runtime-level protections that block exploitation even when version-based scanners flag an instance as vulnerable.
At the same time, React warned that invalid PoCs are spreading online, many of which rely on unsafe developer-exposed functions that are unrelated to the genuine vulnerability. These may lead to incorrect triage or false assurance.
Ecosystem Scope And Remediation
For context, the flaw affects React versions beginning with 19.0.0 and multiple RSC-enabled frameworks, including Next.js, RedwoodSDK, Waku, and RSC plugins for Vite and Parcel.
Next.js applications using the App Router are particularly exposed since the router enables server functions by default.
React and Next.js have released hardened versions (React 19.0.1, 19.1.2, 19.2.1; Next.js 15.0.5 through 16.0.7).
Security teams should upgrade immediately, verify dependency trees for bundled RSC implementations, and apply WAF protections where available. Cloudflare and other providers have already rolled out rulesets to reduce exposure.
Vendor advisories from React and Next.js are also available for ongoing updates and patch guidance.
