Author: admin

Executive Summary

On Dec. 3, 2025, researchers publicly disclosed critical remote code execution (RCE) vulnerabilities in the Flight protocol used by React Server Components (RSC). These vulnerabilities are tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), which have been assigned a maximum severity rating of CVSS 10.0.

The flaw allows unauthenticated attackers to execute arbitrary code on the server via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations. There have been no reports of exploitation in the wild as of Dec. 3, 2025.

React is heavily implemented in enterprise environments, used by roughly 40% of all developers, while Next.js is used by approximately 18%-20%. This makes it the leading server-side framework for the React ecosystem.

Palo Alto Networks Cortex Xpanse has identified the presence of over 968,000 React and Next.js instances in our telemetry.

These vulnerabilities impact the React 19 ecosystem and frameworks that implement it. Specifically, they affect the following versions:

• React: Versions 19.0, 19.1, and 19.2
• Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0
• Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins

Palo Alto Networks customers receive protections from and mitigations for CVE-2025-55182 and CVE-2025-66478 in the following ways:

• Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.

Palo Alto Networks also recommends upgrading to the following hardened versions immediately:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
• Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5

The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Details of the Vulnerabilities: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js)

CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are classified as Critical (CVSS 10.0) and are caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol.

The vulnerabilities reside in the react-server package and its implementation of the RSC Flight protocol. It is a logical deserialization flaw where the server processes RSC payloads safely.

When a server receives a specially crafted, malformed HTTP payload (typically through data delivered in a POST request), it fails to correctly validate the structure of the data. Because of this insecure deserialization, the server allows attacker-controlled data to influence server-side execution logic.

This results in RCE, allowing an attacker to execute arbitrary privileged JavaScript code on the server.

Attack Vector and Exploitability

• Attack complexity: The attack complexity is low. It requires no user interaction and no privileges (unauthenticated).
• Target endpoints: The attack targets React Server Function endpoints.
  • Critical nuance: Even if an application does not strictly implement or use React Server Functions, it remains vulnerable if the application supports React Server Components generally.
• Reliability: Testing has shown the exploit has near-100% reliability.
• Default configuration: The vulnerabilities are present in default configurations. For example, a standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.

Specific Affected Components

While generally described as affecting React and Next.js, the vulnerabilities technically exist within specific underlying packages that handle server-side rendering and module loading.

Affected Packages

The vulnerabilities are present in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Affected Framework Implementations

Any framework bundling these packages is affected:

• Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0-canary.77
• Other ecosystems: React Router, Waku, RedwoodSDK, Parcel and the Vite RSC plugin are all affected if they use the vulnerable React packages

Interim Guidance

Required actions: Immediate patching is the only definitive mitigation.

Engineering and security teams should upgrade to the following hardened versions immediately:

• React: Upgrade to 19.0.1, 19.1.2, or 19.2.1
• Next.js: Upgrade to the latest stable patched versions, including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9 or 15.0.5

For the latest updates on these vulnerabilities, please see the documentation provided by each respective vendor:

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using Cortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of exploitation.

The following hunting queries are not high-fidelity detections and should be investigated to determine whether the web server operates vulnerable React Server Components.

Conclusion

The critical distinction of these vulnerabilities is their nature as a deterministic logic flaw in the Flight protocol, rather than a probabilistic error. Unlike memory corruption bugs that may fail, this flaw guarantees execution, transforming it into a reliable system-wide bypass for attackers. Amplified by the massive footprint of Next.js in enterprise environments, this creates a direct conduit to sensitive internal data.

Ultimately, this incident underscores the inherent friction between performance and security in modern architecture. While React Server Components optimize data fetching and search engine optimization (SEO) by moving logic closer to the source, they simultaneously move the attack surface closer to organizations’ most sensitive and valuable data.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections for CVE-2025-55182 and CVE-2025-66478

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107

Cortex XDR and XSIAM

Cortex XDR and XSIAM agents help protect against post-exploitation activities using the multi-layer protection approach.