It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.
Vulnerability Details
Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.
Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.
Affected Versions:
- React: 19.0.0 to 19.2.0
- Next.js: 15.x, 16.x, and versions after 14.3.0-canary.77