LONDON (IT BOLTWISE) – A serious security flaw in React Server Components and Next.js could allow attackers to execute arbitrary code without authentication. This vulnerability affects numerous versions and requires urgent updates.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
A recently discovered security flaw in React Server Components (RSC) and Next.js has alarmed the developer community. This vulnerability, known as CVE-2025-55182 and CVE-2025-66478, allows attackers to execute arbitrary code on servers without authentication. The React developers have classified the vulnerability as critical and assigned a CVSS score of 10.0, which represents the highest threat level.
The vulnerability results from a flaw in the way React decodes payloads to server function endpoints. Even if an application doesn’t implement React Server Function Endpoints, it can still be vulnerable if it supports React Server Components. This poses a significant risk for many applications based on these technologies.
Versions 19.0, 19.1.0, 19.1.1 and 19.2.0 of the npm packages react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack are affected. The vulnerability was fixed in versions 19.0.1, 19.1.2 and 19.2.1. New Zealand security researcher Lachlan Davidson discovered and reported the vulnerability on November 29, 2025.
Next.js is also affected by this vulnerability, especially in versions starting from 14.3.0-canary.77 and major versions 15 and 16. The patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 and 15.0.5. It is strongly recommended that you install the updates immediately to ensure the security of the applications.
Security firm Wiz has reported that about 39% of cloud environments are affected by this vulnerability. Given the severity of the vulnerability, users are advised to implement the provided patches as soon as possible to ensure optimal protection.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “Critical vulnerability in React and Next.js allows remote code execution”.