Support Content Notification - Support Portal

unauthenticated remote code execution vulnerability in React Server Components. React (CVE-2025-55182), Next.js (CVE-2025-66478).

Product/Component

Brocade Fabric OS

1 more products

Notification Id

36611

Last Updated

15 December 2025

Initial Publication Date

15 December 2025

Status

CLOSED

Severity

LOW

CVSS Base Score

10 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

WorkAround

Affected CVE

CVE-2025-55182, CVE-2025-66478

Brocade Security Advisory ID	BSA-2025-3183
Component	React Server

Summary

CVE-2025-55182

Description: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Affected Version Information:

react-server-dom-webpack (Meta)
- Default Status: unaffected
- affected from 19.0.0 through 19.0.0
- affected from 19.1.0 through 19.1.1
- affected from 19.2.0 through 19.2.0
react-server-dom-turbopack (Meta)
- Default Status: unaffected
- affected from 19.0.0 through 19.0.0
- affected from 19.1.0 through 19.1.1
- affected from 19.2.0 through 19.2.0
react-server-dom-parcel (Meta)
- Default Status: unaffected
- affected from 19.0.0 through 19.0.0
- affected from 19.1.0 through 19.1.1
- affected from 19.2.0 through 19.2.0

More at:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

CVE-2025-66478

Note: This CVE has been marked Rejected in the CVE List.

Affected Next.js Versions

Applications using React Server Components with the App Router are affected when running:

Next.js 15.x
Next.js 16.x
Next.js 14.3.0-canary.77 and later canary releases

Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.

More at:

https://nextjs.org/blog/CVE-2025-66478

Products Confirmed Not Affected

No Brocade Fibre Channel Product from Broadcom is known to be affected by these vulnerabilities.

Brocade Fabric OS - Not Affected - VEX Status Justification [Vulnerable_code_not_present]
Brocade ASCG - Not Affected - VEX Status Justification [Component_not_present]
Brocade SANnav - Not Affected - VEX Status Justification [Vulnerable_code_not_present]

Revision History

Version	Change	Date
1.0	Initial Publication	12/10/2025

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.