React and Next.js Face Critical RCE Vulnerabilities Discovery
Recently, critical remote code execution (RCE) vulnerabilities have been discovered in both React and Next.js frameworks. These vulnerabilities are identified as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, which impact the React Server Components (RSC) “Flight” protocol.
Vulnerabilities Overview
The vulnerabilities stem from insecure deserialization issues within the RSC payload handling. Both flaws work under default configurations, making widely deployed applications especially susceptible.
- CVE-2025-55182: Affects React frameworks.
- CVE-2025-66478: Affects Next.js frameworks.
Exploit Mechanism
Exploitation of these vulnerabilities requires only a specially crafted HTTP request. This means that attackers can execute unauthorized commands on the server with minimal effort. Testing reveals a near 100% success rate when exploiting these flaws, highlighting their severity.
Impact Statistics
According to data from Wiz Research, a significant portion of cloud environments is vulnerable:
- 39% of cloud environments are impacted by these vulnerabilities.
- 69% of environments use Next.js, with 44% of those having publicly exposed applications.
Patching and Recommendations
Immediate action is essential. Users of affected frameworks are urged to upgrade to the latest patched versions:
| Product | Patched Releases |
|---|---|
| react-server-dom* | 19.0.0, 19.1.0, 19.1.1, 19.2.0 19.0.1, 19.1.2, 19.2.1 |
| Next.js | 14.3.0-canary, 15.x, 16.x (App Router) 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Additionally, any framework or library that incorporates the react-server implementation, such as Next.js, Vite, and Redwood, may also be affected. Users are advised to check for updates and apply patches promptly.
Next Steps
All developers utilizing these frameworks should prioritize upgrading to the hardened versions. If using RSC-enabled libraries, ensure to verify the versions for security compliance. For those concerned about being targeted via these vulnerabilities, reaching out to security teams for assistance is crucial.
Maintaining security protocols is vital as the ecosystem addresses these threats. El-Balad will provide further updates as more information becomes available.
