A critical vulnerability in React Server Components ( CVE-2025-55182 ) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js ( CVE-2025-66478 ). The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments. If you are using Next.js, every version between Next.js 15 and 16 is affected, and Vercel recommend immediately updating to the latest Next.js versions co