A critical vulnerability was announced today affecting React Server Components (RSC), which affects React (CVE-2025-55182) and all frameworks using RSC, notably Next.js (CVE-2025-66478).

Both vulnerabilities were given a CVSSv3 10.0 score, marking them as highly critical.

The source of these vulnerabilities was found in RSC’s ReactFlight protocol – a protocol used by React 19 to serialize and deserialize data between the server and the client. An insecure deserialization logic error was found, which allows specially-crafted HTTP requests to trigger Remote Code Execution on the receiving server.

Vulnerable React components include versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack

These vulnerable components are included in Next.js using App Router with versions ≥14.3.0-canary.77, ≥15 and ≥16.

Other frameworks utilizing the above mentioned React components or depend on RSC may also be vulnerable.

A proof-of-concept exploit for these vulnerabilities is not available as of writing this, but due to the high severity and impact of these vulnerabilities, it is recommended to patch immediately.

  • Users of React are urged to update to versions 19.0.1, 19.1.2, or 19.2.1.
  • Next.js users should upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.

How can Orca help?

The Orca Cloud Security Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. When Orca finds a vulnerability, it will immediately create an alert and assign a risk score by considering the full contextual picture of the risk and the surrounding cloud environment so teams know which vulnerabilities need to be patched first.

The Orca Platform displays trending vulnerabilities in the “From the News” widget of the Orca dashboard. Users can see if their environment is vulnerable to the vulnerabilities and how to remediate them.

A screenshot of this vulnerability in the "From the News" widget in the Orca platform.
The “From the News” widget in the Orca Platform

Learn more

If you’re interested in learning more about the Orca Platform and how it can help you protect against vulnerabilities, schedule a personalized 1:1 demo.