Executive Summary
On Dec. 3, 2025, researchers publicly disclosed critical remote code execution (RCE) vulnerabilities in the Flight protocol used by React Server Components (RSC). These vulnerabilities are tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), which have been assigned a maximum severity rating of CVSS 10.0.
The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations. There have been no reports of exploitation in the wild as of Dec. 3, 2025.
React is heavily implemented in enterprise environments, used by roughly 40% of all developers, while Next.js is used by approximately 18%-20%. This makes it the leading server-side framework for the React ecosystem.
Palo Alto Networks Cortex Xpanse has identified the presence of over 968,000 React and Next.js instances in our telemetry.
These vulnerabilities impact the React 19 ecosystem and frameworks that implement it. Specifically, they affect the following versions:
- React: Versions 19.0, 19.1, and 19.2
- Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0
- Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins
Palo Alto Networks customers receive protections from and mitigations for CVE-2025-55182 and CVE-2025-66478 in the following ways:
- Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.
Palo Alto Networks also recommends upgrading to the following hardened versions immediately:
- React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
- Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
Details of the Vulnerabilities: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)
CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are classified as Critical (CVSS 10.0) and are caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol.
The vulnerabilities reside in the react-server package and its implementation of the RSC Flight protocol. It is a logical deserialization flaw where the server processes RSC payloads safely.
When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic.
This results in RCE, allowing an attacker to execute arbitrary privileged JavaScript code on the server.
Attack Vector and Exploitability
- Attack complexity: The attack complexity is low. It requires no user interaction and no privileges (unauthenticated).
- Target endpoints: The attack targets React Server Function endpoints.
- Critical nuance: Even if an application does not strictly implement or use React Server Functions, it remains vulnerable if the application supports React Server Components generally.
- Reliability: Testing has shown the exploit has near-100% reliability.
- Default configuration: The vulnerabilities are present in default configurations. For example, a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.
Specific Affected Components
While generally described as affecting React and Next.js, the vulnerabilities technically exist within specific underlying packages that handle server-side rendering and module loading.
Affected Packages
The vulnerabilities are present in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of the following packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Affected Framework Implementations
Any framework bundling these packages is affected:
- Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0-canary.77
- Other ecosystems: React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin are all affected if they use the vulnerable React packages
Interim Guidance
Required actions: Immediate patching is the only definitive mitigation.
Engineering and security teams should upgrade to the following hardened versions immediately:
- React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
- Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5
For the latest updates on these vulnerabilities, please see the documentation provided by each respective vendor:
Unit 42 Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.
The following hunting queries are not high-fidelity detections and should be investigated to determine whether the web server operates vulnerable React Server Components.
|
// Description: File operations targeting potentially sensitive files or indications of exploitation of CVE-2025-55182
// Caveat 1: Next.js may still be running if a custom server.js is in use, as such the filtering of ‘actor_process_command_line contains “.next”‘ restricts the results to ‘standard’ Next.js deployment and if not overly noisy we recommend running the query without it too.
// Caveat 2: Vulnerable React Server Component (RSC) endpoints may be served by a wider range of JavaScript runtimes than just NodeJS (such as Bun or Deno) and we recommend re-executing the queries targeting these runtimes if they are used in your environment.
config case_sensitive = false
| preset=xdr_file
| filter actor_process_image_name in (“node”,“node.exe”) and actor_process_command_line contains “.next” and action_file_path ~= “(?:pwned.txt|.ssh[\/]authorized_keys|.aws[\/]credentials|gcloud[\/]credentials.db|.azure[\/]accessTokens.json|2025[-_](?:55182|66478))” |
|
// Description: Identifies a Node.js process directly spawning common system reconnaissance tools to gather user, network, or process information.
// Caveat: May be prone to false positives. Investigate hits within the context of a NodeJS server running a version of React with vulnerable React Server Components
config case_sensitive = false
| preset=xdr_process
| filter actor_process_image_name in (“node”,“node.exe”) and actor_process_command_line contains “.next” and action_process_image_name in (“id”,“curl”,“curl.exe”,“wget”,“wget.exe”,“whoami”,“arp.exe”,“at.exe”,“hostname.exe”,“nbstat.exe”,“netsh.exe”,“netstat.exe”,“nslookup.exe”,“ping.exe”,“query.exe”,“systeminfo.exe”,“tasklist.exe”,“traceroute.exe”,“whoami.exe”,“whois.exe”,“quser.exe”,“qwinsta.exe”,“nltest.exe”,“csvde.exe”,“wevtutil.exe”,“driverquery.exe”,“nbtscan.exe”,“ntdsutil.exe”,“vssadmin.exe”,“dsquery.exe”,“adfind.exe”,“klist.exe”,“vssvc.exe”)
| comp count_distinct(action_process_image_name) as num_procs, values(action_process_image_command_line) as action_process_image_command_line by agent_hostname, actor_process_image_name, actor_process_command_line, action_process_image_name
| filter num_procs > 1 |
|
// Description: Identifies a specific causality chain where Node.js spawns a shell (cmd/bash/powershell), which subsequently spawns a downloader (curl/wget).
config case_sensitive = false
| preset=xdr_process
| filter causality_actor_process_image_name in (“node”,“node.exe”) and causality_actor_process_command_line contains “.next” and actor_process_image_name in (“cmd.exe”,“powershell.exe”,“sh”,“bash”,“zsh”) and action_process_image_name in (“curl”,“curl.exe”,“wget”,“wget.exe”) |
Conclusion
The critical distinction of these vulnerabilities is their nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error. Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.
Ultimately, this incident underscores the inherent friction between performance and security in modern architecture. While React Server Components optimize data fetching and search engine optimization (SEO) by moving logic closer to the source, they simultaneously move the attack surface closer to organizations’ most sensitive and valuable data.
Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.
Palo Alto Networks Product Protections for CVE-2025-55182 and CVE-2025-66478
Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.
If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
- UK: +44.20.3743.3660
- Europe and Middle East: +31.20.299.3130
- Asia: +65.6983.8730
- Japan: +81.50.1790.0200
- Australia: +61.2.4062.7950
- India: 000 800 050 45107
Cortex XDR and XSIAM
Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.