React/Next.js Remote Code Execution Vulnerability (CVE-2025-55182/CVE-2025-66478) Notice and Handling Manual

React/Next.js Remote Code Execution Vulnerability (CVE-2025-55182/CVE-2025-66478) Notice and Handling Manual

dezembro 4, 2025 | NSFOCUS

Overview

Recently, NSFOCUS CERT has detected that React and Next.js have issued security bulletins to fix the remote code execution vulnerability of React/Next.js (CVE-2025-55182/CVE-2025-66478); Because React Server Components are insecurely deserialized when processing HTTP requests, an unauthenticated attacker can call the Node.js built-in module by constructing a specially crafted form to execute arbitrary code on the target server. Since the App Router used by Next.js embeds the DOM package of React, Therefore, it is also affected by this vulnerability. The CVSS score is 10.0. At present, the vulnerability details and PoC have been made public. Relevant users are requested to take measures to protect themselves as soon as possible.

Reference links:

https://nextjs.org/blog/CVE-2025-66478

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Scope of Impact

Affected versions

  • React Server = 19.0
  • React Server = 19.1.0
  • React Server = 19.1.1
  • React Server = 19.2.0
  • 14.3.0-canary.77 <= Next.js <= 15.0.4
  • 15.1.0 <= Next.js <= 15.1.8
  • 15.2.0 <= Next.js <= 15.5.6
  • 16.0.0 <= Next.js <= 16.0.6
  • Dify <= 1.10.1
  • NextChat

Note: including react-server-dom-webpack/react-server-dom-parcel/react-server-dom-turbopack

  • 15.0.0 <= Next.js <= 15.0.4
  • 15.1.0 <= Next.js <= 15.1.8
  • 15.2.0 <= Next.js <= 15.5.6
  • 16.0.0 <= Next.js <= 16.0.6
  • Next.js >= 14.3.0-canary.77

Note: Frameworks/tools that rely on React, such as react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk and RedwoodJS (RSC mode), may also be affected.

Unaffected version

  • React Server = 19.0.1
  • React Server = 19.1.2
  • React Server = 19.2.1
  • Next.js = 13.x
  • Next.js <= 14.3.0-canary.76
  • Next.js >= 15.0.5
  • Next.js >= 15.1.9
  • Next.js >= 15.2.6
  • Next.js >= 15.3.6
  • Next.js >= 15.4.8
  • Next.js >= 15.5.7s
  • Next.js >= 15.6.0-canary.58
  • Next.js >= 16.0.7
  • Dify >= 1.10.1-fix.1

Note: Next.js applications that only use Client Components (Pages Router) and Edge Runtime are not affected.

Detection

Manual inspection

Relevant users can check whether the project uses React Server Component (RSC):

1. Determine whether the application uses framework components such as next, Dify, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc and rwsdk

2. Check whether use server/use client is used in the code

If you are sure that React Server Component (RSC) is used, you can execute the following command to check whether the version is in the affected range:

npm list react-server-dom-webpack react-server-dom-turbopack react-server-dom-parcel 

Tool inspection

NSFOCUS Automated Penetration Testing Tool (EZ) has supported service identification and CVE-2025-55182/CVE-2025-66478 vulnerability risk detection of frameworks such as Next.js and Dify, which can be scanned directly using the web module. (Note: For the enterprise version, please contact NSFOCUS sales staff to obtain it)

Product testing

NSFOCUS Remote Security Assessment System (RSAS), WEB Application Vulnerability Scanning System (WVSS) and Network Intrusion Detection System

 Upgrade package version No.Upgrade package download link
RSAS V6 System plug-in packageV6.0R02F01.4307https://update.nsfocus.com/update/listRsasDetail/v/vulsys
RSAS V6 Web Plugin packageV6.0R02F00.3807https://update.nsfocus.com/update/listRsasDetail/v/vulweb
WVSS V6 Plug-in upgrade packageV6.0R03F00.389https://update.nsfocus.com/update/listWvssDetail/v/6/t/plg
IDS5.6.11.43026https://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.10
IDS5.6.10.43026https://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.11
IDS2.0.0.43026https://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.11_v2

Risk Investigation of Exposure Surface

Cloud detection

NSFOCUS External Attack Surface Management Service (EASM) supports Internet asset troubleshooting of CVE-2025-55182/CVE-2025-66478 vulnerability risks. It has helped service customer groups complete exposure surface troubleshooting and conduct timely vulnerability warnings and closed-loop disposal before threats occur. Interested customers can arrange detailed consultation and communication by contacting their local regional colleagues at NSFOCUS or sending an email to rs@nsfocus.com.

Local investigation

NSFOCUS CTEM solution can actively and passively discover and troubleshoot React-related assets and CVE-2025-55182/CVE-2025-66478 vulnerability risks:

Users use the external attack surface discovery function to synchronize CVE-2025-55182/CVE-2025-66478 vulnerability clues to the cloud, and obtain the affected assets of the target unit through asset mapping.

Mitigation

Official upgrade

At present, the official has released a new version to fix the above vulnerabilities. Affected users are requested to upgrade the version as soon as possible for protection.

Download links:

React: https://github.com/facebook/react/releases

Next.js: https://github.com/vercel/next.js/tags

Dify: https://github.com/langgenius/dify/releases

Product mitigation

In response to the above vulnerabilities, NSFOCUS WEB Application Protection System (WAF), NSFOCUS Network Intrusion Prevention System (IPS), NSFOCUS Integrated Threat Probe (UTS), NSFOCUS Security Management Platform (ESP-H) and NSFOCUS Intelligent Security Operation Platform (ISOP) have released rule upgrade packages. Relevant users are requested to upgrade the rule packages to the latest version to form security product protection capabilities.

ProductsUpgrade package version No.Upgrade package download linkRule No.
WAF6.0.8.1.72517https://update.nsfocus.com/update/listWafV68Detail/v/rule[27007078]
 6.0.7.3.72517https://update.nsfocus.com/update/listWafV67Detail/v/rule6070 
 6.0.7.0.72517https://update.nsfocus.com/update/listWafSpecialDetail/v/all 
IPS5.6.11.43026https://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.11[29515]
 5.6.10.43026https://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.10 
 2.0.0.43026https://update.nsfocus.com/update/listNewidsDetail/v/rule5.6.11_v2 
UTS5.6.10.43026https://update.nsfocus.com/update/listBsaUtsDetail/v/rule2.0.0[29515]
 2.0.0.43026https://update.nsfocus.com/update/listBsaUtsDetail/v/rule2.0.1 
ESP-H1.0.0.1.2092890https://update.nsfocus.com/update/listesphDetail/v/V3.0R01F00NG[491417]
ISOP1.0.0.1.2092890https://update.nsfocus.com/update/listisopdetail/v/V3.0R01F00NG[491417]

Temporary protective measures

If the relevant users are temporarily unable to perform upgrade operations, temporary relief can be achieved through the following measures:

1. Modify the configuration to disable the React Server Components function without affecting the business;

2. Restrict access to Server Function endpoints.

3. Use security devices to add custom rules for detection and interception.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.