RCE Vulnerability in React Server Components & Next.js

RCE Vulnerability in React Server Components & Next.js | Uptycs
React Server Components (RSC) 和 Next.js 存在严重漏洞（CVE-2025-55182 和 CVE-2025-66478），允许未认证攻击者通过恶意payload实现远程代码执行。默认配置下极易被利用，需立即升级至指定安全版本以修复问题。 2025-12-8 14:27:58 Author: www.uptycs.com(查看原文) 阅读量:3 收藏

Post by Uptycs MDR Team

Contributed by: Nandakumar KJ & Nageswra Rao C

Technical Details:

A critical vulnerability has been discovered in the React Server Components (RSC) 'Flight' protocol, impacting on the React 19 ecosystem and the frameworks built on top of it most notably Next.js. Tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, this vulnerability enables unauthenticated remote code execution (RCE) on the server due to insecure deserialization. Because the vulnerability is present in default configurations, typical deployments are exposed immediately. Given its critical nature and ease of exploitation, immediate patching is required.

CVE-2025-55182

CVE-2025-55182 is an insecure deserialization flaw within RSC. A remote, unauthenticated attacker could take advantage of the issue by sending a maliciously crafted payload to a susceptible React Server Function endpoint. If the attack succeeds, it could lead to remote code execution on the server.

CVE-2025-66478

CVE-2025-66478 is the RCE vulnerability in Next.js, which inherits the same underlying vulnerability through its implementation of the RSC "Flight" protocol.

Which products are affected?

Vulnerable Product

Patch Released

react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0

19.0.1, 19.1.2, and 19.2.1

Next.js 14.3.0-canary.77 and later canary releases, Next.js 15.x, Next.js 16.x (App Router)

The vulnerability is fully resolved in the following patched Next.js releases:

15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release

Uptycs Coverage for these vulnerabilities:

We have coverage for these vulnerabilities CVE-2025-55182 and CVE-2025-66478. Please click on the Vulnerabilities section on the left pane and search (use the Addfilter option to add the filter for the specific CVE) for the CVE to identify the Vulnerable resources.

Additionally, using below SQL, you can list the affected packages and hosts.

SQL select * from npm_packages where (name='next' and (version like '15.%' or version like '16.%' or version like '14.3.0-canary.%') and version not in ('15.0.5','15.1.9','15.2.6','15.3.6','15.4.8' ,'15.5.7','16.0.7','14.3.0-canary.88')) or (name in ('react-server-dom-parcel' , 'react-server-dom-webpack' ,'react-server-dom-turbopack') and version in ('19.0' , '19.1.0' , '19.1.1' , '19.2.0')) and upt_day>=20251203

Mitigation Guidance:

Update React and its related packages to the secured versions listed above. This is the only reliable fix.
If you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.

Reference:

文章来源: https://www.uptycs.com/blog/critical-rce-vulnerability-react-server-components-nextjs
如有侵权请联系:admin#unsafe.sh