Researchers disclosed critical remote code execution vulnerabilities in the Flight protocol for React Server Components on Dec. 3, 2025, enabling unauthenticated attackers to execute arbitrary server-side JavaScript via insecure deserialization. The flaws (tracked as CVE-2025-55182, with CVE-2025-66478 later marked a duplicate) affect React 19 and frameworks such as Next.js, are highly reliable in default deployments, and require immediate patching and mitigations from vendors and Palo Alto Networks. #CVE-2025-55182 #NextJS
Keypoints
- Disclosure and severity: Public disclosure on Dec. 3, 2025 of RCE vulnerabilities in the Flight protocol tracked as CVE-2025-55182 (CVSS 10.0); CVE-2025-66478 was later rejected as a duplicate.
- Vulnerability mechanism: Insecure deserialization in the react-server implementation of the RSC Flight protocol allows attacker-controlled HTTP payloads to influence server-side execution and achieve arbitrary code execution.
- Exploitability: Low complexity, unauthenticated, no user interaction required, near-100% reliability against default deployments (e.g., create-next-app production builds).
- Scope and affected components: Affects React 19 (19.0, 19.1, 19.2), Next.js App Router versions 15.x and 16.x and certain Canary builds, plus packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack and any frameworks bundling them (React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin).
- Enterprise impact: Large potential exposure given wide React/Next.js adoption (React ~40% of developers, Next.js ~18β20%) and Cortex Xpanse telemetry showing >968,000 instances.
- Mitigations and response: Immediate upgrade to specified hardened versions (React 19.0.1/19.1.2/19.2.1; Next.js patched releases) is required; Palo Alto Networks provides Cortex XDR/XSIAM protections, Unit 42 incident response, and hunting queries to detect exploitation attempts.
MITRE Techniques
- None mentioned β The article does not explicitly reference any MITRE ATT&CK technique identifiers or names.
Indicators of Compromise
- [CVE IDs] vulnerability identifiers β CVE-2025-55182, CVE-2025-66478
- [File names / paths] filenames targeted or written by exploitation β pwned.txt, .ssh/authorized_keys, and other flagged paths like .aws/credentials, gcloud/credentials.db, .azure/accessTokens.json
- [Package names] vulnerable libraries/packages β react-server-dom-webpack, react-server-dom-parcel (also react-server-dom-turbopack)
- [Framework / deployment indicators] deployment artifacts or command-line markers β β.nextβ present in Node.js command line for standard Next.js deployments; create-next-app production builds noted as exploitable
Read more: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/