TL;DR:
CVE-2025-55182 is a critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol.
Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.
Exploitation requires only a crafted HTTP request. We've constructed a fully working RCE proof-of-concept that we're withholding for now, but our testing has shown near-100% reliability. UPDATE: Public RCE exploits are now available.
UPDATE: Exploitation has now been observed in the wild by Wiz Research, Amazon Threat Intelligence, Datadog and others.
UPDATE: Wiz Research has observed a post-exploitation pivot toward cloud credential harvesting and cryptocurrency mining
The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution.
Immediate patching is required. Hardened releases for React and Next.js are available.
Wiz Research data shows 39% of cloud environments contain vulnerable instances.
A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182, this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.
To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. For for full technical analysis of the exploit see our deep-dive blogpost.
UPDATE: CVE-2025-66478 has been rejected as a duplicate of CVE-2025-55182. This makes sense, as they both have the same root cause. However, this does not mean that detections of CVE-2025-66478 are false positives; the rejection simply means that CVE-2025-55182 covers both cases.
CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC).
CVE-2025-66478 is the corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC "Flight" protocol.
The vulnerability fundamentally resides in the react-server package and its handling of the RSC "Flight" protocol. It is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.
In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.
Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182. Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).
Wiz is tracking rapidly expanding exploitation of CVE-2025-55182 since the full proof of concept exploit became public. Our sensors have identified multiple victims compromised starting December 5 at 6:00 AM UTC, primarily targeting internet-facing Next.js applications and Kubernetes containers. We are continuing to hunt for post-exploitation activity and expect this exploit to be employed by both targeted and opportunistic campaigns. Our visibility confirms the public reporting from GreyNoise and others of significant adoption of this vulnerability. For full analysis of post-exploitation activity and IOC list see our deep-dive blogpost.
Wiz observed attackers establish shells to harvest credentials from environment variables, filesystems, and cloud instance metadata. In one compromised environment, Wiz identified an actor attempting to identify AWS credentials and Base64 encode them, likely in preparation for exfiltration.
At a separate cloud environment, exploitation was followed by a shell script that attempted to install the sliver malware framework.
Wiz has identified multiple cryptomining campaigns that have each affected multiple customers. At this time, we are aware of at least six incidents and expect that to grow.
One campaign dropped a UPX packed version of the cryptominer XMRig. The earliest we have discovered occurred at 6:00 AM UTC on December 5th
A second cryptominer campaign has downloaded the standard XMRig set up from Github, specifying their specific mining pool.
Public reporting by GreyNoise has identified 95 IP addresses performing what they assess to be “opportunistic, largely automated exploitation attempts” beginning at 04:00 UTC on December 5th.
AWS reported that they identified multiple China-nexus groups experimenting with early public attempts at exploit code on December 4th, prior to the full PoC being released. Given this interest and past Chinese tactics, we expect a wide range of China-nexus actors to use this exploit in targeted intrusions.
| Vulnerable product | Patched release |
|---|---|
| react-server-dom* (19.0.x, 19.1.x, 19.2.x) | 19.0.1, 19.1.2, and 19.2.1 |
| Next.js with App Router (14.3.0-canary.77 and later canary releases, 15.x, 16.x) | 14.x stable, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Any framework or library bundling the react-server implementation is likely affected. This includes, but is not limited to:
Next.js
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
RedwoodSDK
Waku
Google has stated that public OS images provided by Google Cloud for Compute Engine are not affected by default.
1. Upgrade React and dependencies to the hardened versions (see above). This is the only definitive mitigation.
2. if you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.
Use pre-built queries found in the advisory to detect vulnerable instances and evidence of malicious activity.
ASM Validation: Wiz added exploitability validation through Wiz Attack Surface Management to confirm which services are actually exploitable, based on Wiz's exploit as well as public ones.
Identify publicly exposed vulnerable VMs, Serverless functions, or Containers.
Correlate agentless vulnerability detections with technology detections validated by the ASM Scanner.
Vulnerability Findings: Filter to find all instances of the vulnerability or focus specifically on "critical issues."
SBOM Analysis: Use SBOM queries to inventory Next.js and RSC instances across the environment.
Wiz-CLI: Use the Command Line Interface to scan container images for these vulnerabilities before they are deployed.
Filter for findings with one-click remediation to automatically generate a Pull Request (PR) with fixes.
Create Code or CI/CD policies to block the vulnerability from being deployed or merged into repositories.
Wiz Sensor: Detect anomalous behavior or post-exploitation activities using both specially crafted rules and generic ones.
Monitor for DNS queries indicating out-of-band application security testing (OAST) attempts (e.g., queries to *.oast[.]live or *.oastify[.]com).
Anomalous DNS queries originating from containers running Next.js.
Detections triggered by processes spawned by Next.js.
Investigate events related to specific IP addresses associated with known malicious activity (noting potential for false positives).
Worried you're being targeted through CVE-2025-55182 or CVE-2025-66478? Connect with the Wiz Incident Response team for assistance.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。