Security researcher Rachid.A from Zhero Web Security posted an in-depth analysis of the findings, with the vulnerability tracked as CVE-2025-29927, and receiving a severity score of 9.1/10 (critical).
A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.