If you are running a modern web application stack in December 2025, drop what you are doing and check your dependencies immediately.

A critical security vulnerability with a maximum severity score of CVSS 10.0 has been discovered in React Server Components (RSC), heavily impacting frameworks like Next.js.

This is a “Log4j moment” for the JavaScript ecosystem.

The Vulnerability Explained (Briefly)

The vulnerability, tracked as CVE-2025-55182 (and CVE-2025-66478 for Next.js downstream), allows for Unauthenticated Remote Code Execution (RCE).

It stems from unsafe deserialization in the “Flight” protocol used by React Server Components to communicate between the server and client. An attacker can send a specially crafted HTTP request to your Next.js or React server endpoint and execute arbitrary code—without needing to log in or authenticate.

Are You Affected?

If you are using React Server Components, you are likely vulnerable. This primarily affects users of the App Router in Next.js.

You are affected if you are using:

• Next.js: Versions 15.x, 16.x, or Next.js 14.3.0-canary.77 and later.
• React Server DOM packages: Versions 19.0.0 through 19.2.0 of react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel.

(Note: If you are exclusively using the older Pages Router in Next.js, you are likely safe, but you should verify your dependencies regardless).

The Action Plan: Steps to Patch Immediately

Security researchers are warning that exploitation in the wild is imminent. Do not wait until Monday.

1. For Next.js Users (Most Common)

Vercel has released patched versions of Next.js. You need to upgrade your project immediately.

Run one of the following commands in your terminal depending on your package manager:

Bash

# Using npm
npm install next@latest react@latest react-dom@latest

# Using yarn
yarn upgrade next react react-dom --latest

# Using pnpm
pnpm update next react react-dom --latest

Ensure your package.json reflects the patched versions:

• Next.js should be 15.1.9+, 16.0.7+, or the latest stable version.

2. For Raw React Server Component Users

If you are using React Server Components without Next.js (e.g., custom implementations or other bundlers), you must update the core packages.

Update the following packages to version 19.0.1, 19.1.2, 19.2.1 or later:

• react-server-dom-webpack
• react-server-dom-turbopack
• react-server-dom-parcel

3. Verify and Redeploy

After updating your package.json and lock files:

1. Run a clean install (npm ci or equivalent).
2. Run your test suite.
3. Redeploy your application immediately to production. Merging the PR is not enough; the running server code must be replaced.

Temporary Mitigation

If you absolutely cannot deploy a patch right now, check with your Cloud/WAF provider (e.g., AWS WAF, Cloudflare, Vercel). Many have already rolled out managed rules to block the specific HTTP payloads associated with this attack.

However, this is not a fix. Patching the code is mandatory.