A maximum-severity vulnerability in React's Server Components protocol is threatening millions of applications worldwide. The flaw, assigned CVE-2025-55182 and CVE-2025-66478, allows attackers to execute remote code through specially crafted HTTP requests with nearly 100% success rates.
Security researcher Lachlan Davidson discovered the vulnerability, which affects React's default configuration and popular frameworks like Next.js. Wiz research shows 39% of cloud environments are vulnerable to these exploits.
Cloudflare has already deployed protective firewall rules, while hosting providers are implementing temporary fixes. Organizations must immediately upgrade to React versions 19.0.1, 19.1.2, or 19.2.1, and corresponding Next.js updates to prevent potential breaches.
Source: Dark Reading