.png)
Critical Remote Code Execution Vulnerability Discovered in React and Next.js, Immediate Patching Required
Publication date:2025/12/04
Background
On December 3, 2025, the React open-source project disclosed a critical security vulnerability (CVE-2025-55182, CVSS Score: 10.0) affecting the React Server Components (RSC) protocol, stemming from unsafe deserialization. The popular React-based full-stack framework Next.js is also impacted downstream (originally tracked as CVE-2025-66478). React is a widely used JavaScript UI library developed by Meta, and Next.js is a primary framework within its ecosystem. According to data from Wiz, approximately 39% of cloud environments contain instances of React or Next.js vulnerable to this flaw, indicating a vast potential impact scope.
Threat and Risk Analysis
1. Severity and Ease of Exploitation: This vulnerability allows unauthenticated remote attackers to achieve Remote Code Execution (RCE) by sending a specially crafted HTTP request to a target server. Research confirms a near 100% exploitation success rate with a low barrier to entry for attackers.
2. Default Configuration Affected: The vulnerability impacts the default configuration of React (versions 19.0 through 19.2.0) and Next.js (versions 15 through 16). This means a significant number of standard deployments are at risk without any specific modifications by developers.
3. Extensive Impact Scope: React and its ecosystem are used by millions of developers and numerous globally recognized companies (e.g., Meta, Netflix, Walmart). The vulnerability poses a severe threat to internet services relying on these frameworks. Security experts warn that mass exploitation is "imminent," and the urgency is comparable to the Log4j vulnerability.
4. Related Vulnerabilities: CVE-2025-55182 is the root cause, directly affecting React's server packages (react-server-dom-webpack, etc.). Frameworks built on React (such as Next.js, React Router, Waku) are consequently exposed.
Security Recommendations
1. Immediate Upgrading (Primary Action)
- React Users: Must immediately upgrade to the patched version (React 19.2.1, or the relevant versions 19.0.1, 19.1.2, 19.2.1).
- Next.js Users: Immediately upgrade to the secure versions (Next.js 16.0.7, 15.5.7, 15.4.8).
- Users of Other React Frameworks: Check and upgrade to the security versions officially released by the respective framework.
2. Deploy Temporary Mitigations
- Cloud Service Users: Utilize Web Application Firewall (WAF) rules provided by cloud providers for temporary protection. For example, some vendors have already released protective rules designed to detect and block exploitation attempts.
- Note: WAF rules are only a temporary mitigation and are not a substitute for applying patches.
3. Verification and Monitoring
- After applying patches, fully redeploy all affected services.
- Enable and monitor WAF and related security logs, closely watching for any attack attempts.
Given the vulnerability's extreme severity, ease of exploitation, and vast potential impact, all organizations and developers using affected versions of React and its frameworks (especially Next.js) must treat this as a top-priority security incident. Immediate action must be taken to patch and protect systems and services as outlined above.
Official References
1. React Security Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
2. Next.js Security Advisory: https://nextjs.org/blog/CVE-2025-66478