Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

A maximum-severity vulnerability in React Server Components (RSC) enables unauthenticated remote code execution via deserialization flaws. The flaw, CVE-2025-55182 (CVSS 10.0), affects React versions 19.0–19.2.0 and Next.js App Router versions ≥14.3.0.

Why This Matters

The vulnerability stems from unsafe deserialization of RSC payloads, allowing attackers to inject arbitrary JavaScript code on servers without authentication. Wiz reports 39% of cloud environments are exposed, with potential for full server compromise even if apps don’t explicitly use Server Function endpoints. Patching is critical to prevent widespread exploitation.

Key Insights

• “8-hour App Engine outage, 2012” (hypothetical example omitted; actual context lacks such data)
• “Logical deserialization flaws in RSC processing enable RCE without authentication” (per Wiz analysis)
• “Next.js App Router affected by CVE-2025-66478 (CVSS 10.0)” (contextual linkage)

Practical Applications

• Use Case: Next.js App Router apps may allow RCE if using unpatched RSC versions
• Pitfall: Assuming apps without Server Function endpoints are safe ignores RSC processing risks

References:

• https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html