Next.js Framework Vulnerability

CVE-2025-55182 Vulnerability Introduced by React 19 in the affected version, Next.js App Router takes RSC serialized data from the client and passes it directly to ReactFlightReplyServer to deserialize it, without sufficiently checking the model structure, reference paths and Server Reference metadata. An attacker can construct a malicious RSC. An attacker can construct a malicious RSC request, guide parseModelString, getOutlinedModel, loadServerReference, initializeModelChunk, and other parsing links into an exception state, and control the target of the call during the module loading and reference binding phases, and ultimately trigger an arbitrary server-side trigger in Next. js. js can trigger any server-side code execution.