CVE-2025-66478: RCE in React Server Components

2025 030 ยท 2026-06-05

Actions

Rate this issue

Technical Details

Affected Versions 19.0, 19.1, 19.2, 15.x, 16.x, 14.3.0-canary.77 and later
Regions all
CVE IDs CVE-2025-66478, CVE-2025-55182
Migration Required Yes
Cost Impact Neutral
IaC Impact High

What This Means

For DevOps Teams

Update React to versions 19.0.1, 19.1.2, and 19.2.1, and Next.js to the latest patched versions to address the RCE vulnerability, and consider deploying a custom AWS WAF rule for added protection.

For Platform Teams

Deploy the updated AWS WAF rule and ensure all applications using React and Next.js are running the latest secure versions to protect against potential exploits.

For Executives

Implement immediate updates to React and Next.js versions to mitigate the risk of remote code execution vulnerabilities, ensuring the security and integrity of your applications.

Source

View original AWS announcement โ†’

Weekly AWS Digest in Your Inbox

No spam, no headlines. Just a weekly summary of the 3โ€“7 AWS changes that matter for DevOps and Platform teams.

๐Ÿ“ง Exactly 1 email per week โ€ข Every Tuesday โ€ข Unsubscribe anytime

Today: AWS only. Coming next: Azure and other major clouds.