React/Next.js Remote Code Execution Vulnerability (CVE-2025-55182/CVE-2025-66478) Notice

React/Next.js Remote Code Execution Vulnerability (CVE-2025-55182/CVE-2025-66478) Notice

dezembro 4, 2025 | NSFOCUS

Overview

Recently, NSFOCUS CERT has detected that React and Next.js have issued security bulletins to fix the remote code execution vulnerability of React/Next.js (CVE-2025-55182/CVE-2025-66478); Because React Server Components are insecurely deserialized when processing HTTP requests, an unauthenticated attacker can call the Node.js built-in module by constructing a specially crafted form to execute arbitrary code on the target server. Since the App Router used by Next.js embeds the DOM package of React, Therefore, it is also affected by this vulnerability. The CVSS score is 10.0. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect themselves as soon as possible.

Reference links:

https://nextjs.org/blog/CVE-2025-66478

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Scope of Impact

Affected versions

  • React Server = 19.0.0
  • React Server = 19.1.0
  • React Server = 19.1.1
  • React Server = 19.2.0

Note: including react-server-dom-webpack/react-server-dom-parcel/react-server-dom-turbopack

  • 15.0.0 <= Next.js <= 15.0.4
  • 15.1.0 <= Next.js <= 15.1.8
  • 15.2.0 <= Next.js <= 15.5.6
  • 16.0.0 <= Next.js <= 16.0.6
  • Next.js >= 14.3.0-canary.77

Note: Frameworks/tools that rely on React, such as react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk and RedwoodJS (RSC mode), may also be affected.

Unaffected version

  • React Server = 19.0.1
  • React Server = 19.1.2
  • React Server = 19.2.1
  • Next.js = 13.x
  • Next.js = 14.x
  • Next.js >= 15.0.5
  • Next.js >= 15.1.9
  • Next.js >= 15.2.6
  • Next.js >= 15.3.6
  • Next.js >= 15.4.8
  • Next.js >= 15.5.7
  • Next.js >= 16.0.7

Note: Next.js applications that only use Client Components (Pages Router) and Edge Runtime are not affected.

Detection

Relevant users can check whether the project uses React Server Component (RSC):

  1. Determine whether the application uses next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc and rwsdk
  2. Check if use server/use client is used in the code

If it is determined that the React Server Component (RSC) is used, further check whether the version is in the affected range.

Risk Investigation of Exposure Surface

Cloud detection

NSFOCUS External Attack Surface Management Service (EASM) supports Internet asset troubleshooting of CVE-2025-55182/CVE-2025-66478 vulnerability risks. It has helped service customer groups complete exposure surface troubleshooting and conduct timely vulnerability warnings and closed-loop disposal before threats occur. Interested customers can arrange detailed consultation and communication by contacting their local regional colleagues at NSFOCUS or sending an email to rs@nsfocus.com.

Tool troubleshooting

NSFOCUS Automated Penetration Testing Tool (EZ) has supported Next.js service identification and CVE-2025-55182 vulnerability risk detection, which can be scanned directly using the web module. (Note: For the enterprise version, please contact NSFOCUS sales team.)

Tool download link: https://github.com/m-sec-org/EZ/releases

New users please register for the M-SEC community (https://msec.nsfocus.com) to apply for a certificate for use:

Mitigation

Official upgrade

At present, the official has released a new version to fix the above vulnerabilities. Affected users are requested to upgrade the version as soon as possible for protection.

Download link: https://github.com/facebook/react/releaseshttps://github.com/vercel/next.js/tags

Temporary protective measures

If the relevant users are temporarily unable to perform upgrade operations, temporary relief can be achieved through the following measures:

  1. Modify the configuration to disable the React Server Components function without affecting the business;
  2. Restrict access to Server Function endpoints

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.