Skip to content

News
Cybercrime
Risk
Policy
Privacy
Research
Cloud
Insurance

LinkedIn
Facebook

CVE-2025-66478

Critical React Server Components flaw (React2shell) allows unauthenticated remote code execution; Next.js also affected

Cloud, News, Risk, Vendors, Vulnerabilities

December 4, 2025

A critical deserialization flaw in React Server Components, tracked as CVE-2025-55182 and nicknamed React2shell, can allow unauthenticated remote code execution; related Next.js App Router releases are covered by CVE-2025-66478. Patches are available and vendors and security firms advise applying fixes and using WAFs or access restrictions.

About
Editorial Policy
Privacy
Contact