Critical Vulnerabilities in React and Next.js: everything you need to know

**CVE-2025-55182 (React)** and **CVE-2025-66478 (Next.js)** are critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol that permit remote code execution via insecure deserialization of RSC payloads; default Next.js applications are vulnerable and exploitation requires only a crafted HTTP request. Patched React and Next.js releases are available and immediate patching is strongly recommended, as Wiz reports approximately 39% of cloud environments contain vulnerable instances.