Overview
Multiple advisories were released yesterday regarding Remote Code Execution (RCE) in React Server Components (RSC) and Next.js. The information is currently split across several vendor blogs. I’ve gone through the reports from React, Next.js, Cloudflare, and Wiz to compile a single technical summary of what’s affected and how to mitigate it.
Identification & Root Cause
The issue lies in how React Server Components handle serialization. Two CVEs have been assigned:
| CVE | Component | Root Cause |
|---|---|---|
| CVE-2025-55182 | React (RSC) | Insecure deserialization in the Flight protocol. Maliciously crafted payloads can execute arbitrary code during the hydration phase. |
| CVE-2025-66478 | Next.js | The Next.js App Router fails to validate specific headers before processing the Flight payload, exposing the deserialization flaw. |
Affected Versions
If you are using the App Router or React Server Components, assume you are affected unless you are on the patched versions listed below.
- Next.js:
15.x,16.x,14.3.0-canary.77and later canary releases. - React: The vulnerability is present in versions
19.0,19.1.0,19.1.1, and19.2.0of:react-server-dom-webpack,react-server-dom-parcel,react-server-dom-turbopack
Vendor Data & Detection
Here is a breakdown of the specific findings and rules released by the major players involved.
| Source | Technical Findings |
|---|---|
| Vercel | Applied patches to their edge infrastructure. This protects Vercel-hosted projects, but self-hosted Next.js instances (Docker/AWS/GCP) remain vulnerable until patched. |
| Cloudflare |
Released WAF Rule Managed Ruleset: 33aa...fba
and Free Ruleset: 2b5d...280. The attack
vector is detectable via specific patterns in the POST body of RSC requests.
|
| React Team |
Released 19.0.1, 19.1.2, and 19.2.1.
They noted that the vulnerability is triggered when unvalidated input is passed
to renderToPipeableStream.
|
| Wiz | Focused on runtime detection. They highlighted that because this is a deserialization attack, standard signature-based detection might miss obfuscated payloads. Runtime process monitoring is a reliable secondary indicator. |
Mitigation Strategies
The recommendation is straightforward: patch the framework. If patching isn't an option immediately, you can block the traffic.
1. Patch (Primary Fix)
Next.js
All Next.js users should upgrade to the latest patched version in their release line:
npm install [email protected] // for 15.0.x
npm install [email protected] // for 15.1.x
npm install [email protected] // for 15.2.x
npm install [email protected] // for 15.3.x
npm install [email protected] // for 15.4.x
npm install [email protected] // for 15.5.x
npm install [email protected] // for 16.0.x
If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
npm install next@14React Router
If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
Upgrade to the latest react-server-dom-webpack:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Redwood SDK
Ensure you are on rwsdk>=1.0.0-alpha.0
For the latest beta version:
npm install rwsdk@latest
Upgrade to the latest react-server-dom-webpack:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Waku
Upgrade to the latest react-server-dom-webpack:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
@vitejs/plugin-rsc
Upgrade to the latest RSC plugin:
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
react-server-dom-parcel
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-parcel@latest
react-server-dom-turbopack
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
react-server-dom-webpack
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
2. WAF Blocking (Temporary)
If you are unable to redeploy:
- Cloudflare: Enable Managed Ruleset:
33aa8a8a948b48b28d40450c5fb92fbaand Free Ruleset:2b5d06e34a814a889bee9a0699702280. - General WAF: Inspect
POSTrequests with RSC headers. Look for deeply nested objects or unexpected function calls in the body. Note that regex blocking is prone to bypasses for this type of vulnerability.
Timeline
A breakdown of how the disclosure and response unfolded over the last few days.
Vulnerability discovered and reported to Meta (React Team) by security researcher Lachlan Davidson.
Meta confirmed the vulnerability and began developing a fix.
Private coordination with framework maintainers (Vercel/Next.js). Vercel applied platform-level mitigations to their Edge infrastructure.
Cloudflare deployed "Emergency WAF" managed Ruleset:
33aa8a8a948b48b28d40450c5fb92fba and Free Ruleset:
2b5d06e34a814a889bee9a0699702280. to enterprise customers.
Public disclosure. React 19.0.1 and patched Next.js versions
(14.x, 15.x, 16.x) released.