"Developers using the React 19 library for building application interfaces are urged to immediately upgrade to the latest version because of a critical vulnerability that can be easily exploited by an attacker to remotely run their own code. Researchers at Wiz said Wednesday that a vulnerability in the React Server Components (RSC) Flight protocol affects the React 19 ecosystem, as well as frameworks that implement it. In particular, that means Next.js, a popular full stack development framework built on top of React."
""The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk," says the warning. "Due to the high severity and the ease of exploitation, immediate patching is required," "Our exploitation tests show that a standard Next.js application created via create-next-app and built for production is vulnerable without any specific code modifications by the developer," Wiz also warns."
A vulnerability in the React Server Components (RSC) Flight protocol in React 19 allows specially crafted payloads to trigger unsafe deserialization and remote code execution. The flaw exists in default configurations, placing standard deployments at immediate risk and affecting frameworks that implement RSC such as Next.js, which received a separate CVE. The server-side package, tracked as CVE-2025-55182, permits attacker-controlled data to influence server-side execution logic and run privileged JavaScript. Standard Next.js production builds created via create-next-app are vulnerable without code changes. Immediate patching and upgrading to the latest React 19 release are required.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]