dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

info@thehackernews.com (The Hacker News)
December 3, 2025
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. The vulnerability has been codenamed React2shell. It allows “unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React
Total
0
Shares
0
0
0
[[{“value”:”

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.

The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.

It allows “unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,” the React Team said in an alert issued today.

“Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components.”

According to cloud security firm Wiz, the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.

Cybersecurity

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages –

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson has been credited with discovering and reporting the flaw on November 29, 2025.

It’s worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.

That said, any library that bundles RSC is likely to be affected by the flaw. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.

Wiz said 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. In light of the severity of the vulnerability, it’s advised that users apply the fixes as soon as possible for optimal protection.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation

December 3, 2025
Next Post

University of Phoenix says ‘numerous individuals’ impacted by Oracle EBS breach

December 3, 2025
Related Posts
1 min

ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories

This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin
info@thehackernews.com (The Hacker News)
December 11, 2025
Read More