
























The React Core Team and Vercel have disclosed critical security vulnerabilities affecting React Server Components (RSC) and Next.js App Router that enable unauthenticated remote code execution through specially crafted HTTP requests. These vulnerabilities, tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), pose an immediate threat to applications using React Server Components.
The root cause lies in insecure deserialization within the React Server Components "Flight" protocol. When servers process RSC payloads, insufficient input validation allows attacker-controlled data to influence server-side execution logic. According to the React Core Team's disclosure, this creates a reliable attack vector with near 100% success rate in testing environments.
The vulnerability is particularly concerning given its scope. Research from Wiz reveals that 39% of cloud environments contain instances of Next.js or React in vulnerable versions, while 44% of all cloud environments have publicly exposed Next.js instances—creating a massive attack surface for threat actors.
Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in the following React Server Components packages:
These packages are embedded in the following frameworks and bundlers:
React:
Next.js App Router:
StepSecurity provides tools to quickly identify vulnerable packages across your organization:
NPM Package Search: Use our tenant-wide package search to locate all instances of affected React and Next.js versions across your repositories.
Threat Center Monitoring: StepSecurity's Threat Center provides real-time alerts for critical vulnerabilities like these, enabling rapid response when new threats emerge in your dependency chain.

npm list react and npm list nextThe StepSecurity NPM Cooldown check, which helps protect against supply chain attacks by flagging recently released packages, will initially fail for these patched versions. The StepSecurity Research Team has reviewed and verified these security patches as safe. You can approve the failed cooldown checks for these specific versions through the StepSecurity platform.
For detailed technical analysis and proof-of-concept information:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。