Chris Wysopal

🚨 Critical React + Next.js RCE Alert 🚨
New flaws in the React Server Components β€œFlight” protocol (CVE-2025-55182 & CVE-2025-66478) allow unauthenticated remote code execution on default installations.

Attackers only need one malicious HTTP request to take over a server.

Wiz reports 39% of cloud environments are vulnerable.

If you're running:
β€’ React 19.0–19.2
β€’ Next.js 14.3.0-canary, 15.x, 16.x (App Router)
β€’ Any framework bundling react-server (Redwood, Waku, Vite/Parcel RSC plugins, etc.)

πŸ‘‰ You are likely exposed. Patch immediately.

Updates now available:
React 19.0.1 / 19.1.2 / 19.2.1
Next.js 14.3.0-canary.88 / 15.0.5+ / 16.0.7

Full RCE. Remote. Unauthenticated. Near-100% exploit reliability.

Patch today. Do not wait.

Dec 3 at 4:24pmWeb
Show threadEmily Gladstone ColeDec 3
@Weld I see this blog post from them: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
Critical Vulnerabilities in React and Next.js | Wiz Blog

Detect and mitigate CVE-2025-55182 and CVE-2025-66478, critical RCE vulnerabilities in React and Next.js.

wiz.io