Cloud Environments – React – CVE-2025-55182 -Next.js. – CVE-2025-66478 – Remote Code Execution- Unauthorized Access Vulnerability
Source Material:WizNext.JsReact | Targeted Industries: All
Executive Summary
A recent disclosure of two critical, maximum-severity vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), enable unauthenticated remote code execution (RCE). These flaws originate from insecure deserialization when processing payloads within the React Server Components (RSC) “Flight” protocol, which allow attackers to execute arbitrary code. The high-risk flaw affects standard production deployments of React 19 and Next.js versions 15.x and 16.x that use the App Router, impacting a wide range of derivative frameworks and bundlers. Security analysis from Wiz reports 39% of observed cloud environments contain vulnerable instances. Both the React and Next.js issued patch releases, while major hosting platforms Netlify and Vercel confirmed application of platform-level protections to block associated malicious requests. All developers should upgrade their applications immediately to the latest versions in order to harden their security stack against attackers exploiting these flaws.
Threat Overview and Strategic Impact
The security community faces immediate risk from two maximum-severity flaws, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), both assigned a CVSS score of 10.0. These vulnerabilities permit unauthenticated RCE by leveraging insecure deserialization within the RSC “Flight” protocol. An attacker requires only a HTTP request to influence server-side execution logic, in order to achieve full RCE. Since this issue affects default configurations, specifically Next.js applications utilizing the App Router, standard deployments are presently exploitable. While no evidence of active exploitation has been observed at this time, threat actors have been known to operationalize critical widespread vulnerabilities within 1-2 weeks of public disclosure.
The strategic impact of these flaws is substantial given the widespread adoption of affected components, with Wiz Research estimating 39% of cloud environments harbor vulnerable instances. Since exploitation is unauthenticated and remote, successful attacks result in the execution of privileged code, leading to complete server compromise and potential data exfiltration or persistence. For organizations utilizing React Server Components—including Next.js, React Router, and Waku—immediate and decisive action is critical. Security teams must urgently upgrade React and associated dependencies to the hardened versions because patching remains the only definitive mitigation strategy available against this critical threat.
- Vulnerabilities:CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), both have a CVSS score of 10.0. These two vulnerabilities allow for unauthenticated RCE by leveraging insecure deserialization within the RSC “Flight” protocol. Since this issue affects default configurations, specifically Next.js applications utilizing the App Router, standard deployments are immediately exploitable.
- Active Exploitation Expected: While no evidence of active exploitation has been observed at this time, threat actors have been known to operationalize critical widespread vulnerabilities within 1-2 weeks of public disclosure. Advanced threat actors historically have conducted exploitation of reported zero days within as little as 5 days of public disclosure. Given the widespread nature of these flaws, as impact to cloud environments, threat actors will attempt to exploit these flaws rapidly.
If you have questions or feedback about this intelligence, you can submit them here.
Security Hardening and Recommendations
Organizations must take immediate, decisive action to prevent and mitigate this critical exposure. To harden security posture against the critical unauthenticated RCE vulnerabilities, CVE-2025-55182 and CVE-2025-66478, security teams must prioritize immediate system patching and strict dependency management. Upgrading React and associated dependencies to hardened versions is the only definitive mitigation available. Specifically, teams should install React versions 19.0.1, 19.1.2, or 19.2.1, and Next.js applications using the App Router must move to patched releases such as 15.0.5, 15.5.7, or 16.0.7.
Fixes in Versions:
- React: 19.0.1, 19.1.2, 19.2.1
- Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76. Furthermore, because the flaw resides fundamentally in the RSC “Flight” protocol, any frameworks or bundlers bundling the react-server implementation—such as Next.js, React Router, Waku, and RedwoodSDK—require immediate updates. Organizations should check official channels for these frameworks to ensure the bundled react-server version is secured.
While some hosting providers, such as Netlify and Vercel, implemented temporary platform-level mitigations, updating the application code is still required for full security hardening against future exploitation. No configuration option exists to disable the vulnerable code path, therefore immediate deployment of the vendor-supplied fixes remains critical to reducing an organization’s attack surface.
Deepwatch Detections
While dedicated detections for these specific CVEs have not been released and will be assessed as more details emerge, general detections for this type of activity as well as the expected follow on activity are already deployed and enabled based on available data in customer environments. DeepWatch detections provide visibility into common post-exploitation techniques helping to quickly identify and address a threat actor within the environment. More information on DeepWatch’s detections for this threat can be found on our Customer Security Portal.
Threat Hunting Leads
- Vulnerability scan results relating to CVE-2025-55182 or CVE-2025-66478
- Rare child processes of web server processes on impacted appliances
- Internal port scanning alerts relating to impacted appliances
- Unexpected authentication attempts from impacted appliances
- AV/EDR alerts on impacted appliances
Additional Sources
- https://www.netlify.com/changelog/2025-12-03-react-security-vulnerability-response/
- https://vercel.com/changelog/cve-2025-55182
- https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
Share