A critical security flaw in React Server Components has been disclosed, potentially allowing remote code execution if exploited. This vulnerability impacts multiple versions of React packages and Next.js, with a high CVSS score of 10.0. #ReactServerComponents #CVE-2025-55182 #Next.js #remoteCodeExecution
Keypoints
- The vulnerability is associated with logical deserialization in React Server Components.
- It allows unauthenticated attackers to execute arbitrary JavaScript code on servers.
- The flaw affects specific versions of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
- Patched versions are available for affected packages and Next.js versions.
- Wiz reports that 39% of cloud environments are vulnerable to this flaw.
Read More: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html