Trends-UK

Critical RCE Vulnerabilities Discovered in React & Next.js

Photo of admin-cdn admin-cdn40 minutes ago
0 0 2 minutes read
Critical RCE Vulnerabilities Discovered in React & Next.js

TL;DR:

  • CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) “Flight” protocol.

  • Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.

  • Exploitation requires only a crafted HTTP request and has shown near-100% reliability in testing. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.

  • Immediate patching is required. Hardened releases for React and Next.js are available.

  • Wiz Research data shows 39% of cloud environments contain vulnerable instances.

A critical vulnerability has been identified in the React Server Components (RSC) “Flight” protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.

To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. We will be updating this blog with additional information as it comes to light.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).

CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC “Flight” protocol.

The vulnerability fundamentally resides in the react-server package and its handling of the RSC “Flight” protocol. It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.

In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.

Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).

Vulnerable productPatched releasereact-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.019.0.1, 19.1.2, and 19.2.1Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Any framework or library bundling the react-server implementation is likely affected. This includes, but is not limited to:

  • Next.js

  • Vite RSC plugin

  • Parcel RSC plugin

  • React Router RSC preview

  • RedwoodSDK

  • Waku

1. Upgrade React and dependencies to the hardened versions (see above). This is the only definitive mitigation.

2. if you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

Worried you’re being targeted through CVE-2025-55182 or CVE-2025-66478? Connect with the Wiz Incident Response team for assistance.

Photo of admin-cdn admin-cdn40 minutes ago
0 0 2 minutes read
Photo of admin-cdn

admin-cdn

Related Articles

Watch as MAFS' Maeve shocks fans with exchange to love rival Julia-Ruth

Watch as MAFS’ Maeve shocks fans with exchange to love rival Julia-Ruth

2 weeks ago
Grey Dawning powers to Betfair Chase win

Grey Dawning powers to Betfair Chase win

2 weeks ago
Emmerdale star Joshua Richards on Bear's shocking descent into modern slavery – and past role exploring "horrifying" subject matter

Emmerdale star Joshua Richards on Bear’s shocking descent into modern slavery – and past role exploring “horrifying” subject matter

3 weeks ago
Stars join forces in pre-loved jumpers to help change children’s lives this Christmas

Stars join forces in pre-loved jumpers to help change children’s lives this Christmas

4 weeks ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button