SOUTHWELL_MEDIA [v.2026]A critical security vulnerability affecting Next.js applications using React Server Components has been disclosed and patched. The flaw allows unauthenticated remote code execution by exploiting insecure deserialization in the RSC “Flight” protocol, requiring only a crafted HTTP request to exploit.
Severity
This vulnerability has been assigned a CVSS score of 10.0 — the maximum possible severity rating. Security researchers have constructed fully working proof-of-concept exploits with near-100% reliability.
What’s Affected
The vulnerability impacts Next.js versions:
≥14.3.0-canary.77≥15≥16
All applications using the App Router are affected. Even newly generated Next.js applications created with create-next-app and built for production are immediately vulnerable without any code modifications.
Not Affected
The following are not affected by this vulnerability:
- Next.js 13.x
- Next.js 14.x stable
- Pages Router applications
- Edge Runtime
Patched Versions
Update to one of the following patched releases immediately:
| Version Line | Patched Version |
|---|---|
| 16.x | 16.0.7 |
| 15.5.x | 15.5.7 |
| 15.4.x | 15.4.8 |
| 15.3.x | 15.3.6 |
| 15.2.x | 15.2.6 |
| 15.1.x | 15.1.9 |
| 15.0.x | 15.0.5 |
Update immediately using:
npm install next@latest react@latest react-dom@latestVercel Hosting Note
Projects hosted on Vercel are covered by platform-level protections that block the malicious request patterns. However, you should still upgrade to ensure your codebase is secure regardless of hosting environment.
Background
This vulnerability originates in the upstream React implementation (CVE-2025-55182). The Next.js CVE tracks the downstream impact on applications using the App Router. The source was found in RSC’s ReactFlight protocol — a protocol used by React 19 to serialize and deserialize data between the server and client.