Picus Security Details Critical RCE Vulnerabilities in React.js Ecosystem

Cybersecurity firm Picus Security has detailed two critical vulnerabilities, CVE-2025-55182 and CVE-2025-66478, impacting the React Server Components (RSC) ecosystem. These vulnerabilities, both carrying a CVSS score of 10.0 (Critical), allow for remote code execution (RCE) by exploiting a flaw in data deserialization.

The affected RSC ecosystem includes core React packages and frameworks like React 19, react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and Next.js. The vulnerabilities stem from the Flight protocol, used by RSC for data transport. When a client sends data to the server via Flight, the process by which React decodes this data is susceptible to attack.

According to Picus Security's analysis, an attacker can craft malicious input within the payload, leading to prototype pollution on the server. This allows attackers to control execution paths and achieve unauthenticated remote code execution. The exploit requires sending a specially crafted HTTP request to a Server Function endpoint. Crucially, due to default configurations, the vulnerability affects applications even without explicitly defined Server Function endpoints.

CVE-2025-55182 impacts key React components (versions 19.0, 19.1.0, 19.1.1, and 19.2.0), while CVE-2025-66478 affects specific versions of Next.js (15.x, 16.x, and canary releases 14.3.0-canary.77 and later). Organizations utilizing these technologies are strongly advised to apply the released patches without delay to mitigate security risks.