React Server Components RCE: Impact on Next.js and ecosystem dependencies

Threat summary

On December 3, 2025, the React and Next.js teams disclosed a maximum-severity vulnerability affecting specific versions of React packages and frameworks that depend on them, including Next.js.

React is a widely used JavaScript library for building user interfaces, and Next.js is a framework built on React that provides server-side rendering and routing. Both technologies are heavily adopted in enterprise web applications and SaaS platforms. Several React-based frameworks and bundling tools either rely on, have peer dependencies for, or directly incorporate the affected packages.

The vulnerability originates in the react-server package and its implementation of the React Server Components (RSC) “Flight” protocol. A threat actor could use the issue to send a specially crafted request that the server fails to properly validate.

As a result, the attacker’s data can directly control what the server executes, leading to full remote code execution without authentication. The issue is tracked as CVE-2025-55182 in React and CVE-2025-66478 in Next.js, reflecting both the upstream flaw and its downstream impact.

The issue impacts:

• The following core React packages in versions 19.0.0 through 19.2.0:
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
• Next.js versions 15.x and 16.x using the App Router
• Next.js 14 Canary starting at 14.3.0-canary.77
• React RSC bundlers including:
  • next
  • react-router
  • waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • rwsdk

Patches were released in React 19.0.1, 19.1.2, and 19.2.1, and in Next.js 15.0.5, 15.1.9, 15.4.8, 15.3.6, 15.5.7, and 16.0.7.

Researchers reported that the exploit is not technically complex and requires only a malicious HTTP request, meaning exposure exists wherever RSC endpoints are accessible. The impact is unauthenticated remote code execution, which in worst case scenario allows complete compromise of application servers and downstream access to sensitive data.

Security researchers confirmed that even newly generated Next.js applications created with default tooling (create-next-app) are vulnerable without code modifications.

Analyst insight

The flaws are exploitable in default configurations, carry maximum severity, and have already been publicly disclosed.

Because the flaw affects default configurations in widely adopted frameworks such as React and Next.js, the risk extends broadly across enterprise and SaaS environments. Even if an application does not explicitly implement React Server Functions, it is likely vulnerable if the infrastructure or framework supports RSC.

Organizations are recommended to inventory applications using React 19.x and Next.js 15.x or 16.x with App Router, upgrade to the patched versions released on December 3, and monitor for any potentially exposed applications. Refer to React and Next.js guidance for dependency-specific instructions.

Maintaining runtime security during the upgrade period is critical to reducing exposure. Restricting access to RSC endpoints and monitoring for anomalous payloads helps sustain resilience until fixes are fully deployed.

Field Effect MDR continuously monitors for vulnerabilities through advanced analytics, threat intelligence, and 24/7 visibility across endpoints, networks, and cloud environments. By correlating network traffic, endpoint behavior, and indicators of compromise, Field Effect MDR detects and blocks exploit attempts, flagging anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Field Effect MDR clients will receive an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up