Overview
- Tracked as CVE-2025-55182 with a CVSS score of 10.0, the bug enables unauthenticated remote code execution via the React Server Components ‘Flight’ protocol in default configurations.
- AWS honeypots recorded exploitation attempts within hours of disclosure from China‑nexus operators including Earth Lamia and Jackpot Panda, with hands‑on activity such as running discovery commands and reading or writing files.
- Cloudflare reported that an emergency change to its web application firewall parsing to mitigate the issue caused a brief global outage, with the company stressing it was not the result of an attack.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog as working proof‑of‑concept code spread, while researchers warned that some public PoCs are fake or unreliable.
- React and Next.js released patched versions (React 19.0.1, 19.1.2, 19.2.1), NVD marked a Next.js CVE as a duplicate, and Wiz estimated roughly 39% of observable cloud environments remain exposed, prompting calls to patch rather than rely on interim WAF rules.