CVE-2025-55182 and its Next.js counterpart, CVE-2025-66478 are critical severity vulnerabilities allowing pre-authentication Remote Code Execution (RCE) in applications using React Server Components (RSC). This post will break down the vulnerability from a technical perspective, and explain how the exploit works. Executive Summary Background: Understanding the Component That Failed React Flight (a.k.a React Server Components transport […]

Two new critical vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), were publicly disclosed today, impacting React and Next.js applications. These issues allow unauthenticated remote code execution under default framework configurations, requiring no special setup or developer mistakes. Testing confirms that even newly generated Next.js applications created with create-next-app and built for production are immediately vulnerable without […]