On December 3, 2025, React and Next.js published security advisories for a critical vulnerability affecting the React Server Components (RSC) ecosystem. CVE-2025-55182 and CVE-2025-66478 stem from a deserialization flaw in the RSC Flight protocol that allows attackers to achieve remote code execution. Both vulnerabilities carry a CVSS score of 10.0 (Critical), and organizations running any RSC-enabled framework are strongly advised to apply patches without delay.
In this blog, we explain how the RSC Flight CVE-2025-55182 and Next.js CVE-2025-66478 vulnerabilities work and provide practical steps for validation and remediation.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
The React Server Components (RSC) ecosystem is the collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser. This includes core packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, along with frameworks like Next.js. At the center of this ecosystem is the Flight protocol, the mechanism React uses to transport data between the client and server. When the client renders a Server Component or calls a Server Function, React packages the request into a serialized "Flight" payload, sends it to the server, and then decodes it back into a function call. The server processes the request and returns a serialized response following the same protocol.
On December 3, 2025, React and next.js disclosed two critical vulnerabilities, CVE-2025-55182 and CVE-2025-66478, that arise directly from this process. Because the Flight protocol's decoding logic implicitly expands object properties, it becomes susceptible to unsafe deserialization. Using the vulnerabilities, attackers can inject malicious keys into the payload, pollute object prototypes, and ultimately influence server-side execution paths. This leads to unauthenticated remote code execution in default configurations.
The affected products are listed below, and organizations are advised to upgrade React, Next.js, and any RSC-enabled framework to the patched versions.
|
Vulnerability |
CVSS Score |
Affected Products |
Affected Versions |
|
CVE-2025-55182 |
10.0 (Critical) |
|
|
|
CVE-2025-66478 |
10.0 (Critical) |
|
|
CVE-2025-55182 vulnerability is caused by a flaw in how React Server Components (RSC) decode data sent from the client to the server [1]. When the server receives an RSC payload, the Flight protocol deserializes it, turning the encoded data back into JavaScript structures. The problem is that React's deserialization logic expands object properties without sufficiently validating them. This makes it possible for an attacker to insert malicious keys into the payload, such as __proto__ or constructor, which alter the fundamental behavior of JavaScript objects on the server. This lack of validation allows prototype pollution during the parsing stage.
Once the attacker pollutes these core prototypes, the server may follow execution paths that were never intended. In affected React versions, this unsafe expansion can be chained into full remote code execution. The React team explains that an attacker only needs to send a specially crafted HTTP request to any Server Function endpoint, and because the vulnerability affects default configurations, even applications that did not explicitly define such endpoints may still deserialize the payload. When the payload passes through the vulnerable decoding logic, attacker-controlled data can influence server-side execution, allowing arbitrary JavaScript to run with server privileges.
Next.js is affected because it directly implements the same React Server Components (RSC) Flight protocol that contains the upstream deserialization flaw. The vulnerability originates in React's handling of Flight payloads, but when these server-side components are embedded into the Next.js App Router architecture, the unsafe behavior propagates downstream and becomes CVE-2025-66478 [2].
In an App Router–based Next.js application, every server action, server component request, or server function call relies on the Flight protocol to exchange data between the client and server. When a request arrives, Next.js forwards the payload to its RSC handler, which then uses React's decoding logic to deserialize it. Because this decoding process implicitly expands object properties without enforcing proper validation, a malicious payload can introduce prototype-polluting keys such as __proto__ or constructor. Once these keys are processed, they modify core server-side JavaScript structures.
This polluted execution context causes Next.js to follow untrusted code paths during request handling. The attacker-controlled structures can influence how Next.js resolves server functions or processes serialized component data, which ultimately enables arbitrary JavaScript execution on the server.
The ideal mitigation for CVE-2025-55182 and CVE-2025-66478 is to upgrade all affected React and Next.js components to the patched releases. Because the vulnerability originates in the React Server Components (RSC) Flight protocol, no configuration change or runtime safeguard can remove the underlying deserialization flaw. React has fixed the issue in versions 19.0.1, 19.1.2, and 19.2.1, which include the hardened Flight protocol implementation. Next.js has likewise published patched versions across all affected release lines, including versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7, each incorporating the corrected React components.
It is also important to treat circulating public "proof-of-concept" scripts with caution. Many PoCs published so far are not genuine demonstrations of the vulnerability and rely on developers exposing dangerous server-side APIs that are unrelated to the real flaw. As a result, there is no reliable, validated Proof-of-Code exploit available yet, and misleading PoCs may cause false assumptions about whether an application is vulnerable.
To fully mitigate the risk of remote code execution, organizations should ensure that all React and Next.js dependencies match the patched versions and redeploy their applications after upgrading.
References
[1] "Critical Security Vulnerability in React Server Components." Available: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
[2] J. Story and S. Markbåge, "Security Advisory: CVE-2025-66478," Dec. 03, 2025. Available: https://nextjs.org/blog/CVE-2025-66478