Next.js News: Critical React RCE Threat Demands Immediate Fix

On December 3, 2025, a very important security question got a clear answer: "Can a remote attacker run arbitrary code on your Next.js app?" The answer is yes, and patches are now available.

On December 3, 2025, the people in charge of React and Next.js news made public a serious security hole that lets anyone run code on the server-side parts of React and Next.js without having to log in. CVE-2025-55182 (in React) and CVE-2025-66478 (in Next.js) are the numbers that show where the bug is. Any app that used a version of React Server Components or Next.js App Router that was vulnerable was at risk. This update quickly became one of the most discussed topics in Next.js news communities.

Your Next.js website hosted in the cloud may still be vulnerable if you haven't updated yet. You should fix it right away.

Why does next.js news matter? How React Server Components became a threat

What are React Server Components, and why were they targeted?

React Server Components (RSC) let React apps run some of their component logic on the server, which makes them run faster and allows them to have server-rendered UIs without using a lot of client JS. React version 19.x comes with react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. These packages use the "RSC/Flight" protocol to send and receive data between the server and the client.

Attackers found out that this serialisation logic wasn't safe because React would decode payloads from HTTP requests without checking their structure well enough. In other words, the server might think that data that has been maliciously changed is real internal objects, which could lead to dangerous behaviour. The remote code execution bug is caused by unsafe deserialization.
From React to Next.js: why Next.js apps are also in danger

The vulnerability also affects Next.js because many web apps use it. Next.js builds on React and adds support for React Server Components, especially when the App Router feature is used. Next.js maintainers put out an advisory under CVE-2025-66478 that talked about the RCE risk when Next.js uses the App Router and the React packages that are vulnerable. This advisory spread fast across Next.js news channels since it highlights how easily attackers could target production apps.

How to fix this right away (steps for patching and upgrading)

If you want to keep your React or Next.js app safe, do these things:

• Update your React packages. Make sure you are using patched versions of react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack. The versions that work are 19.0.1, 19.1.2, or 19.2.1.
• Upgrade Next.js: If you use Next.js App Router and are on a vulnerable version (Next.js 15.x or 16.x, or some canary 14.3 versions), you should upgrade to one of the patched releases: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.
• If you're using a canary build (like 14.3.0-canary.77 or newer), you should either go back to the most recent stable 14.x release or move up to one of the patched versions above.
• If your project doesn't use RSC, Server Components, or Server Functions, the risk is lower, but make sure you know what your dependencies are. You probably won't be affected if you don't use any RSC features or react-server-dom packages.

npm install react-server-dom-webpack@latest react@latest react-dom@latest and npm install [email protected] are examples of npm commands.

What the vulnerability does and why it matters

Unsafe deserialization and running code from a distance

 The main problem is deserialising data that you don't trust. The React runtime deserialises the input when the server gets HTTP requests for Server Functions or RSC payloads. If the input is bad (made by an attacker), the unserialization logic might mistake data provided by the attacker for internal references or objects. That can cause your server to act in ways you didn't expect or even run random code, which gives remote attackers complete control over your server.
The exploit surface is wide because this happens before any authentication check (pre-auth) and only needs network access through HTTP requests. If you don't patch a standard Next.js app made with create-next-app, it can be hacked.

Who is affected

• Projects that use React 19.x packages to work with React Server Components.
• Projects made with Next.js 15.x or 16.x (App Router) or some Canary 14.3 builds.
• Plugins for Vite, Parcel, RedwoodJS SDK, and other frameworks or bundlers that use react-server-dom packages.

You should be fine if your app doesn't use RSC or server functions and only runs React on the client side.

Exploits that are available and real-world examples

There are currently no confirmed reports of widespread exploitation in the wild. Akamai and other security companies have put out rules to protect against attacks, and platforms like Netlify have fixed deployments that were open to attack.
But there are urgent warnings: some experts say exploitation is "imminent" because of the public disclosure, the high severity (CVSS 10.0), and how easy it is to exploit (just a crafted HTTP request)

Example: how someone could take advantage of a weak app

Think about how you would use create-next-app to start a new website with the default App Router (React 19, Next.js 16). You set up your app on a regular server or cloud provider and make a few server-side endpoints available. A bad person sends a special HTTP request with a "Flight" payload that has been carefully crafted. Because your app uses React Server Components and doesn't check the payload, React's deserializer messes up internal data. The attacker then runs a code path that runs any JavaScript on your server.

That could let the attacker read environment variables, get into the database, or even change how the server works, which would mean they have full control of your application.
After you update React and Next.js to patched versions and redeploy, the same malicious request will be safely ignored or rejected. This is because the unsafe deserialization bug is fixed, and the server no longer runs dangerous code.

Key points: pros and cons, trade-offs for reducing risk

Pros:

The problem has a fix: both React (upstream) and Next.js (downstream) quickly patched the hole.
• If you patch right away, you can get back the performance and convenience benefits of React Server Components without the risk.

• Many hosts and bundlers have already rolled out patches or blocking mitigations, so the ecosystem is very aware.

Cons and Risks
• If you wait too long to patch, a remote attacker may be able to take over your production web app with little effort.
• A lot of projects might not even know they use the vulnerable react-server-dom packages, especially if the dependencies are deep in the tree or are bundled automatically. • It might be harder to patch legacy or custom server environments, especially if they use older versions or custom bundlers.

Questions that are often asked

What is CVE-2025-5518,2, and who is at risk?

CVE-2025-55182 is a flaw in React Server Components packages (react-server-dom-webpack, -parcel, -turbopack) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 that lets someone run code on a remote server. Any app that uses React or a framework and those packages is at risk.

Do I need to update Next.js to fix CVE-2025-66478?
Yes. If you're using Next.js 15.x or 16.x with the App Router (or a vulnerable 14.3 canary build), you should upgrade right away to one of the patched versions that the maintainers have listed (like 16.0.7 or 15.5.7).

Is it possible for an attacker to use React Server Components without logging in?
Yes. The flaw is in the pre-authentication stage, which means that an attacker who is not authenticated can take advantage of it by sending a specially crafted HTTP request.

What versions of React and Next.js are at risk?
React: 19.0.0, 19.1.0, 19.1.1, 19.2.0 (the packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack)
Next.js: any 15.x or 16.x version that uses App Router and some 14.3.0-canary builds (>= 14.3.0-canary.77)

How can I see if someone is trying to exploit my logs?
You might want to look for suspicious POST or request bodies hitting your Server Function or RSC endpoints because the exploit sends specially crafted HTTP payloads that target server-side deserialization. It might also help to keep an eye on React's server-side logs for unexpected serialised data or errors. But right now, there isn't a verified generic PoC that anyone can see.

Final Thoughts

The release of CVE-2025-55182 and CVE-2025-66478 is an important warning for the entire tech community. Server Components had a serious hole that allowed remote code execution. This topic continues to trend across Next.js news platforms because the vulnerability affects even default create-next-app setups. If you run or deploy any React or Next.js app, you must update immediately.

If you run or deploy any React or Next.js app, you need to patch it right away. Update Next.js and React's server-dom packages to the versions that work. After you patch it, you can keep using React Server Components and be safe again.
Time is important here. Soon, attackers will look at the bug that was made public. The only way to stay safe is to stay informed and alert.

You can also read these important cybersecurity news articles on our website.

·       Apple Update,

·       TikTok Warning

·       Chrome Update,

·       WordPress Issue.

·       Apple os update

For more, please visit our Homepage and follow us on X (Twitter) and LinkedIn for more cybersecurity news and updates. Stay connected on YouTube, Facebook, and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.