Aikido
Start for Free
No CC required
Blog
/
Vulnerabilities & Threats

Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now

Sooraj ShahSooraj Shah
|
#Vulnerabilities
Published on:
December 3, 2025
Last updated on:
December 3, 2025

Key Takeaways

  • CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components.
  • Next.js assigns a related identifier, CVE-2025-66478, due to its use of the same underlying Flight protocol.
  • Vulnerable versions include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across multiple React 19 releases.
  • Frameworks such as Next.js, React Router (RSC mode), Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku bundle these vulnerable packages.
  • Aikido now tracks 10/10 CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repos to scan for it.

TLDR: See How You Are Affected

Aikido now tracks CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repositories to determine whether your application or its dependencies include vulnerable React Server Component implementations.

Remediation Steps

1. Upgrade React

Install a patched React version such as 19.0.1, 19.1.2, or 19.2.1. These include hardened input handling.

2. Upgrade Frameworks That Bundle RSC

Update your framework to its corresponding patched version.
Next.js users should upgrade to the latest patched release within their major version line.
Anyone on a canary version starting at 14.3.0-canary.77 should switch back to the latest stable 14.x release.

3. Update RSC-Enabled Bundlers and Plugins

Ensure you update:

  • Vite RSC plugin
  • Parcel RSC plugin
  • React Router RSC preview
  • RedwoodSDK
  • Waku

Each has released versions that include the fixed RSC implementation.

4. Validate With Aikido

After upgrading, run a scan to confirm that:

  • All vulnerable versions have been removed
  • No transitive dependencies remain affected
  • Framework and bundler integrations are fully patched

Background

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React Server Components. It also affects the broader ecosystem of frameworks that rely on the React Flight protocol. Next.js has assigned CVE-2025-66478 to track its exposure, which stems from the same underlying issue.

The vulnerability allows specially crafted requests to trigger unsafe deserialization behavior within the server-side RSC implementation, which can lead to remote code execution under certain conditions. It affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as downstream integrations that embed these packages.

Deep Dive

Nature of the Vulnerability

The issue stems from unsafe handling of serialized payloads in the React Flight protocol. Malformed or adversarial payloads can influence server-side execution in unintended ways. Patched React versions include stricter validation and hardened deserialization behavior.

Why You May Be Affected Even Without Using Server Functions

Frameworks commonly embed the RSC implementation by default. An application can therefore be exposed even if it does not explicitly define Server Functions. The integration layer itself can invoke the vulnerable code path.

Affected Versions

React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable.
Next.js versions beginning at 14.3.0-canary.77, as well as all 15.x and 16.x releases prior to their patched versions, are affected due to their use of the RSC implementation.

Hosting Environment Notes

Vercel has implemented request-layer protections to reduce exposure while users upgrade, but these do not remediate the vulnerability. All users should update to patched versions as soon as possible.

Severity

CVE Score: 10.0 Critical
Impact: Remote code execution
Attack Vector: Remote and unauthenticated

Timeline

November 29: Vulnerability reported
November 30: Confirmation and fix development
December 1: Coordination with framework maintainers and hosting providers
December 3: Public patches released and CVE disclosed

Scan Your Codebase Now

Aikido tracks CVE-2025-55182 and CVE-2025-66478 across all supported ecosystems. Connect your repositories to perform a full scan and quickly assess your exposure. Start for free with Aikido here.

References

React Team. CVE-2025-55182 Disclosure
Vercel Security Notice on CVE-2025-55182 and CVE-2025-66478

4.7/5

Secure your software now

Start for Free
No CC required
Book a demo
Your data won't be shared · Read-only access · No CC required
Written by
Sooraj Shah

Content Marketing Lead

Sooraj Shah is Content Marketing Lead at Aikido Security. He has a background as a journalist for publications such as the BBC, the FT, Infosecurity Magazine and SC Magazine, and as a content marketer for B2B tech companies and start-ups.

Jump to:
Text Link

Secure your software now

Connect your repos to scan for CVE-2025-55182

Start for Free
Scan now
No CC required
Scan now
Start for Free
Scan now
No CC required
Scan now
Book a demo
Share:

https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce

Similar Posts
November 28, 2025

SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE

Bring the full SCA workflow into your IDE with in-editor scanning and AutoFix. Detect vulnerable packages, review CVEs, and apply safe upgrades without leaving your development workflow.

Tags/
November 28, 2025

Safe Chain now enforces a minimum package age before install

Safe Chain now enforces a minimum 24-hour package age to stop attackers using fresh releases as an entry point. Blocks malware early and falls back to safe versions.

Tags/
November 19, 2025

The Future of Pentesting Is Autonomous

Meet Aikido Attack: autonomous AI pentesting that detects, exploits, and validates real vulnerabilities across your stack. Fast results, full context, zero noise.

Tags/

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.

#Vulnerabilities