"A maximum-severity flaw in the widely used JavaScript library React, and several React-based frameworks including Next.js allows unauthenticated, remote attackers to execute malicious code on vulnerable instances. The flaw is easy to abuse, and mass exploitation is "imminent," according to security researchers. The React team disclosed the unauthenticated remote code execution (RCE) vulnerability in React Server Components on Wednesday. It's tracked as CVE-2025-55182 and received a maximum 10.0 CVSS severity rating."
"Vercel, the creator and primary maintainer of Next.js, assigned its own CVE ( CVE-2025-66478) for the flaw, and issued an alert and patch on Wednesday, too. While we don't have too many details about the vulnerability, we know it abuses a flaw in how React decodes payloads sent to React Server Function endpoints. "An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint"
A maximum-severity unauthenticated remote code execution vulnerability impacts React Server Components and default configurations of several React frameworks and bundlers. The flaw is tracked as CVE-2025-55182 with a CVSS score of 10.0 and affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Vercel assigned CVE-2025-66478 for Next.js and released its own patch. Exploitation abuses how React decodes payloads sent to Server Function endpoints and requires few prerequisites, making mass exploitation imminent. Upgrading to React 19.0.1, 19.1.2, or 19.2.1 mitigates the issue; affected services should be patched immediately.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]