Critical Security Advisory: Unauthenticated RCE in React & Next.js Ecosystem

Updated: December 5, 2025

TL;DR:

• The Threat: A critical vulnerability in the React Server Components (RSC) "Flight" protocol allows for Unauthenticated Remote Code Execution (RCE).
• The CVEs: Originally tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Note that CVE-2025-66478 has effectively been rejected as a duplicate, though patching requires framework-level updates (details below).
• The Impact: In the default configuration, attackers can execute arbitrary system commands on servers without authentication.
• Detection: While WAF vendors have released signatures to identify these payloads, the attack surface remains massive due to the default exposure of RSC endpoints.
• The Fix: Immediate patching of the underlying framework (Next.js, etc.) is the only effective mitigation.

Technical Details

A fundamental flaw has been identified in the deserializer component of React Server Components (RSC), within the react-server package. This component handles the "Flight" protocol - the serialization format used to stream data between the server and client.

The vulnerability stems from insecure deserialization. The Flight protocol was originally designed with the assumption that it would only process trusted signals from the React client. However, because modern meta-frameworks like Next.js expose these RSC endpoints publicly to serve UI components, they are accessible to any user on the internet.

Attackers can take advantage of this issue by sending a specially crafted Flight payload that targets the constructor property of an object on the server. Since the server deserializes this data without checking whether that property is safe to use, it unintentionally exposes the global Function constructor. This gives the attacker a powerful entry point to run custom code.

To exploit this, the attacker includes a string that becomes the arguments for a new function. By inserting a semicolon (;), they break out of the expected context and append their own JavaScript commands. This lets them load and run a dangerous object, such as child_process.execSync - directly inside the server’s process. Once they can do that, they can execute any system command, resulting in full Remote Code Execution (RCE).

Exploitation requires zero authentication. A standard deployment, built for production, is vulnerable out of the box with no additional code changes required by the developer.

Update: The Rejection of CVE-2025-66478

Initially, CVE-2025-66478 was assigned to Next.js to track the vulnerability within that specific framework.

Status Update: CVE-2025-66478 has now been rejected as a duplicate of CVE-2025-55182.

• The Logic: The root cause of the vulnerability lies deep within the React core (react-server), not in the Next.js code. Therefore, the security community has decided to track this under the single React CVE.
• The Catch: Despite being a "duplicate," you cannot patch this simply by updating React in isolation. Frameworks like Next.js bundle specific versions of the React.
• The Action: To fix the root cause (CVE-2025-55182), you must update the Next.js framework (the rejected CVE-2025-66478 target) to a version that pulls in the patched React dependencies. Do not ignore the Next.js update simply because the specific CVE was rejected.

Immediate Remediation

Security teams should audit their environments for public-facing Node.js applications and apply the following updates immediately:

1. Next.js (App Router) Upgrade to one of the following patched versions based on your current branch:

• v16.x: Upgrade to 16.0.7
• v15.x: Upgrade to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, or 15.5.7
• Canary: If using 14.3.0-canary or newer, upgrade to the latest Canary or revert to Stable v14.

2. React (Standalone) If you are using react-server directly (outside of a meta-framework), upgrade to:

• 19.0.1
• 19.1.2
• 19.2.1

‍