React Server Components and Next.js vulnerability 

Summary

In December 2025, A severe security flaw was discovered in the React Server Components (RSC) protocol. Classified with a CVSS score of 10.0, this vulnerability could enable remote code execution when handling maliciously crafted requests in systems that have not been patched.

The root cause lies in the upstream React implementation (CVE-2025-55182). This notice (CVE-2025-66478) addresses the downstream impact affecting Next.js applications that utilize the App Router.

Vendors have implemented mitigations, and SolarWinds products do not utilize the reported affected package versions and are therefore not affected by the reported vulnerabilities.