• SAP Cloud
• Articles

React and Next.js Vulnerabilities Enable Remote Code Execution

Key Takeaways

• A critical vulnerability (CVE-2025-55182) affecting React Server Components, scored CVSSv3 10.0, allows Remote Code Execution due to an insecure deserialization logic error in the ReactFlight protocol.

• Affected versions of React components include 19.0, 19.1.0, 19.1.1, and 19.2.0, with Next.js users urged to upgrade to specific safe versions (15.0.5 or later).

• Immediate patching is recommended as no proof-of-concept exploit exists; other frameworks relying on React Server Components may also be impacted.

A critical vulnerability affecting React Server Components has been announced, allowing Remote Code Execution via insecure deserialization in affected versions, urging users to update their software immediately.

Layout Last Email

First Name *

Last Name *

Email *

Phone

Company Name *

Job Title *

City

Country *United States of AmericaAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Democratic People's Republic of)Korea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRussian FederationRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaYemenZambiaZimbabweÅland Islands

Opt In *

• I agree to register as an SAPinsider member and receive other communications from SAPinsider or our Partners.
  
  By enrolling in the SAPinsider Membership community you receive access to member only content that is provided courtesy of SAPinsider and our Partners. You will only be asked to enroll once but can change your profile at any time by going to your profile and clicking to edit your profile. If you would prefer to review content provided by SAPinsider and SAPinsider Partners and not be contacted by those Partners please do not check the box submitting your willingness to be contacted.
  
  You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.
  
  By clicking submit, you consent to allow SAPinsider to store and process the personal information submitted above to provide you the content requested.

Submit

A critical vulnerability was announced today affecting React Server Components (RSC), which affects React (CVE-2025-55182) and all frameworks using RSC, notably Next.js (CVE-2025-66478).

Both vulnerabilities were given a CVSSv3 10.0 score, marking them as highly critical.

The source of these vulnerabilities was found in RSC’s ReactFlight protocol – a protocol used by React 19 to serialize and deserialize data between the server and the client. An insecure deserialization logic error was found, which allows specially-crafted HTTP requests to trigger Remote Code Execution on the receiving server.

Explore related questions

Ask SAPi

what is this?

Vulnerable React components include versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack

These vulnerable components are included in Next.js using App Router with versions ≥14.3.0-canary.77, ≥15 and ≥16.

Other frameworks utilizing the above mentioned React components or depend on RSC may also be vulnerable.

A proof-of-concept exploit for these vulnerabilities is not available as of writing this, but due to the high severity and impact of these vulnerabilities, it is recommended to patch immediately.

• Users of React are urged to update to versions 19.0.1, 19.1.2, or 19.2.1.
• Next.js users should upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.

How can Orca help?

The Orca Cloud Security Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. When Orca finds a vulnerability, it will immediately create an alert and assign a risk score by considering the full contextual picture of the risk and the surrounding cloud environment so teams know which vulnerabilities need to be patched first.

The Orca Platform displays trending vulnerabilities in the “From the News” widget of the Orca dashboard. Users can see if their environment is vulnerable to the vulnerabilities and how to remediate them.

The “From the News” widget in the Orca Platform

Tohar Braun

Published: Dec 03, 2025

• 
  • SAP Analytics and AI
  • Premium

  SAP Advances Enterprise AI with Table-Native Models and Expanded Business AI

  Reading time: 2 mins

• 
  • SAP AI
  • Premium

  Deloitte Unveils INTEGRATE to Speed and Scale Digital Transformation with SAP Cloud ERP

  Reading time: 2 mins

• 
  • SAP S/4HANA

  Three Waves to a Centralized ERP: VOITH’s Phased SAP Cloud ERP Private Migration 

  Reading time: 4 mins

• 
  • SAP Cloud

  Ahlstrom Goes Live with SAP S/4HANA Cloud ERP Public in Just Four Weeks

  Reading time: 3 mins