Critical React Server Components Vulnerability Exploited: December 12 Update

Recent updates have highlighted a critical vulnerability in React Server Components (RSC), particularly related to the Flight protocol. On December 3, 2025, researchers disclosed the Remote Code Execution (RCE) vulnerabilities, tracked under CVE-2025-55182 and CVE-2025-66478. These vulnerabilities affect several versions of React and Next.js, with a CVSS score of 10.0, indicating maximum severity. As this situation continues to develop, it’s imperative that affected organizations understand the implications and the necessary steps for mitigation.

Vulnerability Overview

The core issue lies within the react-server package, which uses insecure deserialization when processing specially crafted HTTP payloads. This flaw allows unauthenticated attackers to execute arbitrary code on affected servers. Exploitability is particularly high; testing shows near-100% success without requiring any code alteration in default application configurations.

Exploited Versions

• React: Versions 19.0, 19.1, and 19.2
• Next.js: Versions 15.x, 16.x (App Router), and Canary builds from 14.3.0

Scale of Impact

React is widely used, with approximately 40% of developers implementing it, while Next.js commands a substantial market share of 18-20%. Reports from Palo Alto Networks reveal over 968,000 instances of these frameworks detected in their telemetry, emphasizing the extensive exposure this vulnerability implicates.

Post-Exploitation Activities

Unit 42 has tracked significant post-exploitation activities, indicating a variety of tactics employed by attackers:

• Automated reconnaissance techniques to fingerprint compromised systems and enumerate sensitive credentials.
• Installation of additional malware, including cryptomining software and backdoors like Noodle RAT and SNOWLIGHT.
• Signs of activity attributed to a suspected Chinese state-sponsored Initial Access Broker known as CL-STA-1015.

Recommendations for Mitigation

Palo Alto Networks urges immediate upgrades to newly hardened versions of React and Next.js as a critical response measure:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
• Next.js: Upgrade to stable patched versions including 16.0.7 and 15.5.7

Organizations should leverage available security frameworks to detect and block potential exploit attempts. Palo Alto Networks provides advanced protection via their Cortex XDR and Prisma Cloud services to help identify vulnerabilities and manage risks effectively.

As the situation evolves, regular monitoring of network activity for signs of exploitation, along with meticulous review of application architecture, is essential for maintaining security against emerging threats associated with this vulnerability.