A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.
It allows „unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,“ the React Team said in
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html