Advanced

Breaking! React & Next.js Hit by CVSS 10.0 Bug

Every so often, a vulnerability drops that cuts through the noise — not because of the hype, but because it touches a large part of the modern web stack. CVE-2025-55182 is one of those.

This is an emerging, critical-severity issue in the React Server Components (RSC) ecosystem. Teams worldwide are rushing to understand what it means for them, what is at risk, and how fast they need to move.

The bottom line: This bug lets an attacker send a specially crafted payload to a vulnerable server and get it to execute arbitrary code — without any authentication or prior access. If the server is exposed and running a vulnerable version, it is open to remote exploitation.

React Server Components (RSC) extend React's rendering model to the server. Server Components run exclusively on the server and stream their output to the client through an internal protocol called Flight.

Sign in to read this course

A free account unlocks all 514 courses. 20 are readable without one.

What's inside

2 sections
  1. 1 Table of Contents
  2. 2 Module 1: Remote Code Execution in React Server Components — CVE-2025-55182

More Vulnerability Briefings courses

View all 30

Interested in this course?

Contact us to book it or get a custom training plan for your team.