Key technical characteristics:

• CVSS 10.0, remote, unauthenticated RCE in React’s server components.
• Affects React 19.0, 19.1.0, 19.1.1, and 19.2.0, patched in 19.0.1, 19.1.2, and 19.2.1.
• Exploitable via specially crafted HTTP requests against React Server Function / RSC endpoints, including default configurations of popular frameworks.

CVE-2025-66478 tracks the downstream impact on Next.js: experimental canary builds starting with 14.3.0-canary.77, and 15.x and 16.x App Router releases below the patched versions, all inherit the same RCE issue through their use of React Server and Flight.

React powers millions of websites and sees over 55 million weekly downloads from npm, while Next.js counts more than 16 million weekly downloads. Analysis suggests roughly 39% of observed cloud environments contain vulnerable React or Next.js instances. 

From a risk standpoint, successful exploitation gives an attacker code execution on the application server handling page rendering and server functions. As your internal GTM guide already notes, this can enable theft of secrets such as API keys and database credentials, installation of backdoors, and potential pivoting deeper into backend services.

Quick actions — do these now

• Run the NodeZero Rapid Response test for React Server RCE
  For React2Shell, the Rapid Response test safely determines whether CVE-2025-55182 / CVE-2025-66478 are actually exploitable in your internal and external environments, so you can prioritize real risk over theoretical exposure.
• Patch React, Next.js, and related frameworks immediately
  • Upgrade React to a fixed release: 19.0.1, 19.1.2, or 19.2.1.
  • For Next.js App Router apps, upgrade to the patched versions published by Vercel, including 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7 (or newer).
  • Review any use of other RSC integrations such as Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku, and follow their specific guidance.
  • Your internal GTM doc also notes that additional fixes may still roll out across the ecosystem; track the React and Next.js advisories for updates.
• Re-run the Rapid Response test to validate remediation
  After applying patches or interim mitigations, re-run the React Server RCE Rapid Response test. NodeZero will confirm whether the attack paths that were previously exploitable have been eliminated, giving your team evidence that the risk is actually removed rather than assumed to be fixed.

Indicators of compromise 

Public reporting to date focuses on vulnerable versions, exploit mechanics, and patch guidance, not on concrete, vendor-supplied IoCs for this specific bug. 

However, because this is an unauthenticated RCE in a web server context, defenders can use generic RCE hunting patterns while waiting for more specific IoCs from React, Vercel, or their security vendors. Examples include:

• Unusual POST requests or spikes in traffic to RSC / Server Function endpoints that handle Flight payloads.
• Unexpected errors or logs related to deserialization or malformed RSC payloads on React / Next.js servers.
• Creation of unfamiliar temporary files or modules near your application code following suspicious requests.
• New outbound connections from app servers to untrusted IPs shortly after anomalous requests.
• Execution of common attacker recon commands or OS-level activity originating from the app server process.

These are generic behavioral indicators, not official IoCs supplied by React, Vercel, or Horizon3.ai. They should complement, not replace, vendor-specific signatures and WAF rules as they become available. es as they become available. 

Affected versions and patch

React

• Affected:
  
  • 19.0
  • 19.1.0
  • 19.1.1
  • 19.2.0
    
• Patched:
  
  • 19.0.1
  • 19.1.2
  • 19.2.1

The issue resides in how React decodes payloads sent to React Server Function endpoints in the RSC Flight protocol. Even applications that do not implement explicit server function endpoints may still be vulnerable if React Server Components are enabled.

Other frameworks and integrations

Wiz and other researchers have highlighted that additional frameworks implementing React Server and Flight may be vulnerable, including: React Router RSC, Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku. Confirm guidance from each project’s advisory and upgrade to their recommended patched versions. 

Timeline 

• November 29, 2025 — Researcher Lachlan Davidson reports the vulnerability to React.
• December 3, 2025 — React publishes an advisory and patches for CVE-2025-55182, covering React 19.0, 19.1.0, 19.1.1, and 19.2.0, and fixing them in 19.0.1, 19.1.2, and 19.2.1.
• December 3–4, 2025 — SecurityWeek, Dark Reading, The Hacker News, and BleepingComputer publish analyses of React2Shell, confirming unauthenticated RCE, CVSS 10, and significant cloud-scale exposure.
• December 5, 2025 — NodeZero React Server RCE Rapid Response test becomes generally available to customers. 
• December 5, 2025 — CVE-2025-5582 assigned to CISA KEV.

References

🔗 React advisory for CVE-2025-55182 (React Server Components / Flight RCE)

🔗 SecurityWeek — “React2Shell: In-the-Wild Exploitation Expected for Critical React Vulnerability”

🔗 BleepingComputer — “Critical React, Next.js flaw lets hackers execute code on servers”

🔗 The Hacker News — “Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution”

🔗 Dark Reading — “Critical React Flaw Triggers Calls for Immediate Action”

NodeZero^® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero^® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.

Explore NodeZero