Loading...
Help others discover this article by sharing it
Check out more articles from the programming development category
The TIOBE Index January 2026 reveals the top 10 most popular programming languages, showcasing trend...
Developers using the React 19 library for building application interfaces are urged to immediately upgrade to the latest version because of a critical vulnerability that can be easily exploited by an attacker to remotely run their own code.
Researchers at Wiz said Wednesday that a vulnerability in the React Server Components (RSC) Flight protocol affects the React 19 ecosystem, as well as frameworks that implement it. In particular, that means Next.js, a popular full stack development framework built on top of React, which received a separate CVE.
RSC Flight protocol powers communication between the client and server for React Server Components, sending serialized component trees over the wire from the server to the client.
“The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk,” says the warning. “Due to the high severity and the ease of exploitation, immediate patching is required,”
“Our exploitation tests show that a standard Next.js application created via create-next-app and built for production is vulnerable without any specific code modifications by the developer,” Wiz also warns.
The problem in React’s server package, designated CVE-2025-55182, is a logical deserialization vulnerability allowing the server to processes RSC payloads in an unsafe way. When a server receives a specially crafted, malformed payload, say Wiz researchers, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.
“In simple terms,” Wiz said in response to questions, “the server takes input from a user, trusts it too much, and processes it into code-like objects which attackers can exploit to run commands or leak sensitive information.”
Affected are React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The fix is to upgrade to the latest version of React.
While the vulnerability affects all development frameworks using vulnerable versions of React, the problem in Next.js is specifically identified as CVE-2025-66478.
Affected are Next.js 15.x and 16.x using the App Router. Again, the fix is to upgrade to the latest version of Next.js.
JavaScript remains a cornerstone of web development. Even as TypeScript grows, JavaScript and React...
TypeScript has emerged as the most used language on GitHub, fueled by modern frameworks adopting it...
