Critical Security Alert for React and Next.js Developers
A critical vulnerability affecting React 19 and Next.js 15–16 has been discovered. Developers are urged to update their frameworks immediately and use Cloudflare WAF protections to safeguard applications.
A major vulnerability in React Server Components (CVE-2025-55182) has been discovered, affecting React 19 and frameworks built on it, including Next.js (CVE-2025-66478). This flaw allows attackers to execute malicious payloads by manipulating trusted data structures, making it a critical threat to web applications.
Developers using Next.js versions 15 to 16 are advised to immediately update to the latest patched releases: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7. Frameworks using React Server Components should also upgrade to React 19.0.1, 19.1.2, or 19.2.1.
Cloudflare has deployed protections in its cloud-based Web Application Firewall (WAF) to help safeguard customers from this vulnerability. Applications routed through Cloudflare’s service are protected on both free and paid plans, providing an extra layer of defense.
Experts caution that many servers running modern frameworks are still exposed, making prompt updates essential. Developers are urged to apply the fixes immediately to secure their applications and prevent potential exploits.
