Wiz
Blog

Critical Vulnerabilities in React and Next.js: everything you need to know

Detect and mitigate React2Shell (CVE-2025-55182 and CVE-2025-66478), critical RCE vulnerabilities in React and Next.js. Organizations should patch urgently.

Wiz Customers: Pre-built detection query
Gili Tikochinski, Merav Bar, Danielle Aminov

TL;DR:

  • CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol.

  • Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.

  • Exploitation requires only a crafted HTTP request. We've constructed a fully working RCE proof-of-concept that we're withholding for now, but our testing has shown near-100% reliability.

  • The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.

  • Immediate patching is required. Hardened releases for React and Next.js are available.

  • Wiz Research data shows 39% of cloud environments contain vulnerable instances.

Technical Details

A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.

To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. We will be updating this blog with additional information as it comes to light.

What are CVE-2025-55182 and CVE-2025-66478?

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).

CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.

The vulnerability fundamentally resides in the react-server package and its handling of the RSC "Flight" protocol. It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.

In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.

Wiz Research data: what’s the risk to cloud environments?      

Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).

Which products are affected?

Vulnerable productPatched release
react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.019.0.1, 19.1.2, and 19.2.1
Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Any framework or library bundling the react-server implementation is likely affected. This includes, but is not limited to:

  • Next.js

  • Vite RSC plugin

  • Parcel RSC plugin

  • React Router RSC preview

  • RedwoodSDK

  • Waku

Google stated that public OS images provided by Google Cloud for Compute Engine are not affected by default.

Which actions should security teams take?

1. Upgrade React and dependencies to the hardened versions (see above). This is the only definitive mitigation.

2. if you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

Worried you're being targeted through CVE-2025-55182 or CVE-2025-66478? Connect with the Wiz Incident Response team for assistance.

References

Tags
#Research#Security

Weiterlesen

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch tatsächlich ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement
Demo anfordern