Critical Security Advisory: Unauthenticated RCE in React & Next.js Ecosystem
This research post examines CVE-2025-55182 and CVE-2025-66478, two patched vulnerabilities in the React Server Components Flight protocol that could enable unauthenticated Remote Code Execution (RCE) in default Next.js, Waku, and RedwoodJS configurations. We break down how the Flight serialization process works, why traditional scanners struggled to detect these issues, which applications were actually exposed, and how teams can validate and prioritize updates without unnecessary alarm.
Ofek Haviv
December 3, 2025