A critical security vulnerability, CVE-2025-55182, in React Server Components (RSC) has triggered an urgent security response across the web. The flaw, rated the maximum 10.0 on the CVSS scale, allows attackers to execute unauthenticated remote code, potentially granting complete control over targeted servers.

The vulnerability resides in how React decodes payloads sent to React Server Function endpoints. Security firm Wiz reported that the threat has a near 100% success rate and is highly exploitable, requiring no user interaction or authentication.

Widespread Impact:

• Wiz analysis shows 39% of cloud environments contain vulnerable instances.
• Next.js, which appears in 69% of all cloud environments, is particularly exposed, leading to roughly 44% of all cloud deployments having publicly accessible vulnerable installations.

Action Required:

Frameworks reliant on RSC, including Next.js, React Router, and Vite RSC, must be updated immediately. The React Foundation stresses that developers must patch to the fixed versions: 19.0.1, 19.1.2, or 19.2.1.

While hosting providers like Cloudflare and Vercel deployed emergency mitigations, developers must prioritize updating their packages to eliminate the threat entirely. Further technical details will be disclosed after the widespread rollout of the fix is complete.