CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).
CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.
