There are two critical unauthenticated remote code execution vulnerabilities in the React Server Components (RSC) “Flight” protocol. Continue reading this Cybersecurity Threat Advisory to learn how to protect you and your clients’ environments.
What is the threat?
These critical vulnerabilities have been identified in the Flight protocol of the React Server Components (RSC), affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js.
- CVE-2025-55182: React2Shell
- CVE-2025-66478: Next.js
These flaws enable unauthenticated remote code execution on the server due to insecure deserialization. They exist in the default configuration of affected applications, meaning standard deployments are immediately at risk.
Why is it noteworthy?
These are newly disclosed unauthenticated RCEs in React Server Components, rated “critical” due to easy exploitability and React’s ubiquity in modern web apps. Similar to Log4Shell, the vulnerabilities stem from deserialization of untrusted data. React’s server-side request decoding logic can deserialize attacker-controlled inputs, enabling arbitrary code execution even if Server Function endpoints aren’t exposed. Given React and Next.js’s global footprint and high weekly node package manager (NPM) download volumes, the potential reach is substantial.
What is the exposure or risk?
Both CVEs carry the highest CVSS score of 10 and allow remote, unauthenticated exploitation through crafted HTTP requests. Exploitation is highly reliable and can occur without authentication, targeting default configurations. Wiz data indicates a significant prevalence of vulnerable Next.js and React versions in cloud environments, with many publicly accessible instances.
What are the recommendations?
Barracuda strongly recommends the following actions to limit impact:
- Upgrade to patched React versions (e.g., 19.0.1, 19.1.2, or 19.2.1) and update Next.js to the latest patched release.
- Revert from canary 14.3.0-canary.77 to the latest stable 14.x release when using canary.
- Update RSC-enabled bundlers and plugins including Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.
- Run post-upgrade security scans to verify removal of vulnerable versions and ensure all framework and bundler integrations are fully patched.
References
For more in-depth information about the recommendations, please visit the following links:
- Critical React Flaw Triggers Calls for Immediate Action
- Critical RCE Vulnerabilities Discovered in React & Next.js | Wiz Blog
- React2Shell: RCE Vulnerabilities Require Immediate Attention
- Critical React & Next.js RCE Vulnerability CVE-2025-55182 Fix Guide
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.