TL;DR:
CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol. UPDATE: CVE-2025-66478 has since been rejected as a duplicate of CVE-2025-55182.
Default configurations are vulnerable – a standard Next.js app created with
create-next-appand built for production can be exploited with no code changes by the developer.Exploitation requires only a crafted HTTP request. We've constructed a fully working RCE proof-of-concept that we're withholding for now, but our testing has shown near-100% reliability. UPDATE: Public RCE exploits are now available.
UPDATE: Exploitation has now been observed in the wild by Wiz Research, Amazon Threat Intelligence, Datadog and others.
UPDATE: Wiz Research has observed a post-exploitation pivot toward cloud credential harvesting and cryptocurrency mining
The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.
Immediate patching is required. Hardened releases for React and Next.js are available.
Wiz Research data shows 39% of cloud environments contain vulnerable instances.
Technical Details
A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.
To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. We will be updating this blog with additional information as it comes to light.
What are CVE-2025-55182 and CVE-2025-66478?
CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).
CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.
The vulnerability fundamentally resides in the react-server package and its handling of the RSC "Flight" protocol. It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.
In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.
UPDATE: CVE-2025-66478 has been rejected as a duplicate of CVE-2025-55182. This makes sense, as they both have the same root cause. However, this does not mean that detections of CVE-2025-66478 are false positives; the rejection simply means that CVE-2025-55182 covers both cases.
Wiz Research data: what’s the risk to cloud environments?
Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).
Exploitation in the wild
Wiz is tracking rapidly expanding exploitation of the CVE-2025-55182 since the full proof of concept exploit became public. Our sensors have identified multiple victims who have had been compromised via this exploit starting December 5, 6:00AM UTC. We are continuing to hunt for post exploitation activity and expect this exploit to be employed by targeted and opportunistic campaigns. Our visibility confirms the public reporting from GreyNoise and others of significant adoption of this vulnerability.
Wiz identified an environment compromised by this exploit where the actor attempted to identify AWS credentials and base64 encode them, likely in preparation for exfiltration.
At a separate cloud environment, exploitation was followed by a shell script that attempted to install the sliver malware framework.
Wiz has identified multiple cryptomining campaigns that have each affected multiple customers. At this time, we are aware of at least six incidents and expect that to grow.
One campaign dropped a UPX packed version of the cryptominer XMRig. The earliest we have discovered occurred at 6:00 AM UTC on December 5th
A second cryptominer campaign has downloaded the standard XMRig set up from Github, specifying their specific mining pool.
Public reporting by GreyNoise has identified 95 IP addresses performing what they assess to be “opportunistic, largely automated exploitation attempts” beginning at 04:00 UTC on December 5th.
AWS reported that they identified multiple China-nexus groups experimenting with early public attempts at exploit code on December 4th, prior to the full PoC being released. Given this interest and past Chinese tactics, we expect a wide range of China-nexus actors to use this exploit in targeted intrusions.
Which products are affected?
| Vulnerable product | Patched release |
|---|---|
| react-server-dom* (19.0.x, 19.1.x, 19.2.x) | 19.0.1, 19.1.2, and 19.2.1 |
| Next.js with App Router (14.3.0-canary.77 and later canary releases, 15.x, 16.x) | 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Any framework or library bundling the react-server implementation is likely affected. This includes, but is not limited to:
Next.js
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
RedwoodSDK
Waku
Google has stated that public OS images provided by Google Cloud for Compute Engine are not affected by default.
Which actions should security teams take?
1. Upgrade React and dependencies to the hardened versions (see above). This is the only definitive mitigation.
2. if you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.
Wiz customers can use the pre-built queries in the advisory in the Wiz Threat Center for detection of vulnerable instances in their environment, and evidence of malicious activity following exploitation of the vulnerability (using Wiz Defend and runtime Sensor). We strongly recommend opting in to ASM Vulnerability Exploitability validation to ensure full exposure validation of exploitable services.
Worried you're being targeted through CVE-2025-55182 or CVE-2025-66478? Connect with the Wiz Incident Response team for assistance.
