Critical Vulnerabilities in React and Next.js

Recent Stories

January 30, 2026

Jan 30
CVE-2026-23550 Wordpress Modular DS flaw
Jan 30
CVE-2025-14847 MongoDB

December 5, 2025

Dec 05
Critical Vulnerabilities in React and Next.js
News Archive
December 5, 2025

Summary

A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, a core feature of the modern React 19 ecosystem. This flaw, tracked as CVE-2025-55182 (React) and impacting the popular framework Next.js, allows an attacker to achieve unauthenticated Remote Code Execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk.

Impact

This flaw carries the maximum severity score of 10.0. An attacker can execute privileged JavaScript code on the server simply by sending a specially crafted HTTP request, without needing to authenticate. Security vendors are tracking rapidly expanding exploitation in the wild, with observed malicious activity including attempts to steal cloud credentials, install cryptomining malware (XMRig), and deploy other remote access tools. Up to 44% of cloud environments may have publicly exposed, vulnerable instances.

What is vulnerable

Vulnerable Product: react-server-dom*

  • Versions Affected: 19.0.x, 19.1.x, 19.2.x

  • Fixed Release(s): 19.0.1, 19.1.2, and 19.2.1 and above

Vulnerable Product: Next.js (with App Router)

  • Versions Affected: 14.3.0-canary.77 and later canary releases, 15.x, 16.x

  • Fixed Release(s): 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 and above

Vulnerable Product: Other Frameworks

  • Versions Affected: Any framework bundling react-server (e.g., Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, Waku)

  • Fixed Release(s): Consult vendor-specific announcements.

Recommendations

IMMEDIATE ACTION IS REQUIRED to mitigate the risk of unauthenticated RCE:

  • PATCH IMMEDIATELY: Upgrade your applications to the fixed versions listed above for react-server-dom and Next.js.

  • NETWORK RESTRICTION: If immediate patching is not possible, restrict network access to the vulnerable servers. Use firewalls and network policies to ensure that only authorized and necessary internal services can communicate with the application server.

  • MONITORING: Increase logging and monitoring for post-exploitation activities on any public-facing servers running these frameworks, looking for unauthorized shell scripts, attempts to access credentials (e.g., AWS keys), or the deployment of cryptominers (XMRig).

Additional Information

  • The management console has been updated and there should be no visible downtime.

References

  1. https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
  2. https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66...(Next.js)-,CVE%2D2025%2D55182%20(React)%20and%20CVE%2D2025,of%20the%20RSC%20Flight%20protocol.
  3. https://cloud.google.com/blog/products/identity-security/responding-to-c...


If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.