The critical React Server Components has been hacked.
It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 (CVE rejected in the National Vulnerability Database) for Next.js.
React Server Components (RSC) let you render components ahead of time on the server or at build-time, reducing client bundle size and improving performance. They can fetch data directly, support async/await in rendering, and combine seamlessly with Client Components for interactivity.
React Server Components (RSCs) are still in early adoption and don’t yet have reliable global usage percentages across server projects. They are mainly being adopted through frameworks like Next.js. By contrast, React itself is widely used worldwide: as of December 2025, React powers about 6.2% of all websites (representing a 7.7% market share among JavaScript libraries), with estimates suggesting over 11 million websites globally use React.
Source: Critical React, Next.js flaw lets hackers execute code on servers (bleepingcomputer.com)
Here's the POC Code
GitHub - ejpir/CVE-2025-55182-research: CVE-2025-55182 POC
No comments:
Post a Comment