IT Security.
A maximum severity vulnerability, dubbed ‘React2Shell’, in the React Server Components (RSC) ‘Flight’ protocol allows remote code execution without authentication in React and Next[.]js applications. The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 for Next[.]js.
What steps are being taken to mitigate these security vulnerabilities? Are you able to confirm these CVEs are being addressed in your environment?