""Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components. According to cloud security firm Wiz, the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.""
"It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson has been credited with discovering and reporting the flaw on November 29, 2025. It's worth noting that the vulnerability also affects Next.js using App Router. The issue has been assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0). It impacts versions >=14.3.0-canary.77, >=15, and >=16."
A critical deserialization flaw in React Server Components (CVE-2025-55182, CVSS 10.0) enables unauthenticated remote code execution by exploiting how React decodes payloads sent to Server Function endpoints. Affected npm packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0 through 19.2.0), with fixes in 19.0.1, 19.1.2, and 19.2.1. Next.js App Router users are impacted under CVE-2025-66478 and must apply the listed patched releases. Any library bundling RSC can be affected. Cloud scans show a significant portion of environments remain vulnerable. The flaw was reported by researcher Lachlan Davidson.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]