






















Aikido now tracks CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repositories to determine whether your application or its dependencies include vulnerable React Server Component implementations.
Install a patched React version such as 19.0.1, 19.1.2, or 19.2.1. These include hardened input handling.
Update your framework to its corresponding patched version.
Next.js users should upgrade to the latest patched release within their major version line.
Anyone on a canary version starting at 14.3.0-canary.77 should switch back to the latest stable 14.x release.
Ensure you update:
Each has released versions that include the fixed RSC implementation.
After upgrading, run a scan to confirm that:
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React Server Components. It also affects the broader ecosystem of frameworks that rely on the React Flight protocol. Next.js has assigned CVE-2025-66478 to track its exposure, which stems from the same underlying issue.
The vulnerability allows specially crafted requests to trigger unsafe deserialization behavior within the server-side RSC implementation, which can lead to remote code execution under certain conditions. It affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as downstream integrations that embed these packages.
The issue stems from unsafe handling of serialized payloads in the React Flight protocol. Malformed or adversarial payloads can influence server-side execution in unintended ways. Patched React versions include stricter validation and hardened deserialization behavior.
Frameworks commonly embed the RSC implementation by default. An application can therefore be exposed even if it does not explicitly define Server Functions. The integration layer itself can invoke the vulnerable code path.
React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable.
Next.js versions beginning at 14.3.0-canary.77, as well as all 15.x and 16.x releases prior to their patched versions, are affected due to their use of the RSC implementation.
Vercel has implemented request-layer protections to reduce exposure while users upgrade, but these do not remediate the vulnerability. All users should update to patched versions as soon as possible.
CVE Score: 10.0 Critical
Impact: Remote code execution
Attack Vector: Remote and unauthenticated
November 29: Vulnerability reported
November 30: Confirmation and fix development
December 1: Coordination with framework maintainers and hosting providers
December 3: Public patches released and CVE disclosed
The following proof-of-concept video, originally published by @maple3142 on X, demonstrates how specially crafted multipart requests can exploit unsafe desreialization in affected React and Next.js versions. All credit to the original author.
Watch the full proof-of-concept video here.
The researcher demonstrated that by manipulating RSC’s deserialization logic, an attacker can control the Chunk.prototype.then resolution pathway, leading to execution of attacker-controlled logic during Blob deserialization. Full technical details are available in the original POC published on GitHub Gist by @maple3142.
Aikido tracks CVE-2025-55182 and CVE-2025-66478 across all supported ecosystems. Connect your repositories to perform a full scan and quickly assess your exposure. Start for free with Aikido here.
React Team. CVE-2025-55182 Disclosure
Vercel Security Notice on CVE-2025-55182 and CVE-2025-66478
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。