Critical Vulnerability in (React and Next.js CVE-2025-55182, CVE-2025-66478)
Executive Summary
On December 3rd, open-source web software library React disclosed a critical vulnerability in the React Server Components (RSC) “Flight” protocol impacting the React 19 ecosystem and frameworks that implement it, most notably Next.js. CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) identify an insecure deserialization bug that can result in unauthenticated remote code execution (RCE) on the web server running node. The bug, found and reported by a security researcher, is present in default configurations of the affected software, so a standard deployment is immediately at risk without any custom hardening or configuration. This vulnerability was confirmed by independent researchers and is believed to be able to be weaponized at this time, though we do not have evidence of its exploitation in the wild. Additionally, React and Next.js are widely used across the internet and therefore this vulnerability requires immediate action.
Due to the high severity, apparent ease of exploitation, and prevalence of the affected software, Beazley Security recommends organizations prioritize immediate patching.
Affected Systems and Products
Patches
Wiz reports that hardened releases are available for both React and Next.js, and that upgrading to the patched versions is the only definitive mitigation for CVE-2025-55182 and CVE-2025-66478. To remediate, update React 19.0/19.1/19.2 to 19.0.1 / 19.1.2 / 19.2.1 respectively, and update Next.js (App Router) to a patched release in your version line: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. More information can be found in the React advisory.
Technical Details
The core vulnerability reported (CVE-2025-55182) was found in a React Server Component (RSC) called the “Flight” protocol. RSCs are interesting in that, unlike most web software which runs on client browsers, RSCs run on web servers. That means this vulnerability will be present on an organization’s network edge, meaning threat actors can abuse it to gain initial access.
In-depth technical details were not provided by either the discovering researcher or the React organization. However, the “Flight” protocol is a network serialization library, and the vulnerability was reported to be a deserialization bug. Deserialization is a system process where two remote software systems can transmit and share data objects over the network. The process involves encoding an in-memory object into a stream of bytes that can be sent over a network (serialization), then reversing the process on the receiving end (deserialization). If this is not done in a secure way, malicious data can be injected directly to code. Third party cybersecurity company Wiz reported that they have successfully exploited the bug in their testing but have not released technical details or proof-of-concept code.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
Sources
Aware of an incident impacting your industry? Let us know: