ACTION REQUIRED: Review New vulnerability - React Server Components

Felipe2 · December 15, 2025, 6:01pm

IT Security.

A maximum severity vulnerability, dubbed ‘React2Shell’, in the React Server Components (RSC) ‘Flight’ protocol allows remote code execution without authentication in React and Next[.]js applications. The security issue stems from insecure deserialization. It received a severity score of 10/10 and has been assigned the identifiers CVE-2025-55182 for React and CVE-2025-66478 for Next[.]js.

What steps are being taken to mitigate these security vulnerabilities? Are you able to confirm these CVEs are being addressed in your environment?

gianni.zoom · December 17, 2025, 8:14pm

Hi @Felipe2 , I will raise this internally and take a look right now.

gianni.zoom · December 17, 2025, 8:32pm

Opened an inquiry with high priority (ZSEE-189560) and waiting to hear back. Will also have updated comms here: Zoom Security Bulletins | Zoom

Thanks so much!

gianni.zoom · December 19, 2025, 3:30pm

Hi @Felipe2 ,

Confirmed across the security teams for Zoom services that we are not impacted by these CVEs. Our web-based services mostly use Vue, but those that contain some React are unaffected. Thank you!

Topic		Replies	Views
React js 18 and zoomus websdk problem Meeting SDK	3	249	May 10, 2024
Trying to implement Zoom SDK in React 18, getting: Uncaught ReferenceError: process is not defined Web	4	1051	February 6, 2024
Does zoom websdk support nextjs 14 and react 18? Web	2	313	February 28, 2024
Bug - Clicking the Participants icon triggers Crash Web	19	2553	April 29, 2022
I try to implement zoomWebSdk in Reactjs and vite Web webhooks , video-sdk	1	365	December 19, 2023

ACTION REQUIRED: Review New vulnerability - React Server Components

Related topics