惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
SecWiki News
SecWiki News
Martin Fowler
Martin Fowler
T
Tor Project blog
N
Netflix TechBlog - Medium
C
Cybersecurity and Infrastructure Security Agency CISA
V
Vulnerabilities – Threatpost
V
Visual Studio Blog
GbyAI
GbyAI
PCI Perspectives
PCI Perspectives
D
DataBreaches.Net
Jina AI
Jina AI
H
Heimdal Security Blog
云风的 BLOG
云风的 BLOG
P
Privacy International News Feed
A
About on SuperTechFans
J
Java Code Geeks
美团技术团队
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
News | PayPal Newsroom
有赞技术团队
有赞技术团队
MyScale Blog
MyScale Blog
博客园 - 司徒正美
C
Check Point Blog
T
Threat Research - Cisco Blogs
Attack and Defense Labs
Attack and Defense Labs
宝玉的分享
宝玉的分享
AI
AI
Simon Willison's Weblog
Simon Willison's Weblog
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
Apple Machine Learning Research
Apple Machine Learning Research
Hugging Face - Blog
Hugging Face - Blog
The Last Watchdog
The Last Watchdog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
I
InfoQ
阮一峰的网络日志
阮一峰的网络日志
Cisco Talos Blog
Cisco Talos Blog
W
WeLiveSecurity
Hacker News: Ask HN
Hacker News: Ask HN
Recent Commits to openclaw:main
Recent Commits to openclaw:main
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
D
Docker
博客园 - Franky
Security Archives - TechRepublic
Security Archives - TechRepublic

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now
2025-12-03 · via Aikido Security's Blog

Key Takeaways

  • CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components.
  • Next.js assigns a related identifier, CVE-2025-66478, due to its use of the same underlying Flight protocol.
  • Vulnerable versions include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack across multiple React 19 releases.
  • Frameworks such as Next.js, React Router (RSC mode), Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku bundle these vulnerable packages.
  • Aikido now tracks 10/10 CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repos to scan for it.

TLDR: See How You Are Affected

Aikido now tracks CVE-2025-55182 and the related Next.js CVE-2025-66478. Connect your repositories to determine whether your application or its dependencies include vulnerable React Server Component implementations.

Remediation Steps

1. Upgrade React

Install a patched React version such as 19.0.1, 19.1.2, or 19.2.1. These include hardened input handling.

2. Upgrade Frameworks That Bundle RSC

Update your framework to its corresponding patched version.
Next.js users should upgrade to the latest patched release within their major version line.
Anyone on a canary version starting at 14.3.0-canary.77 should switch back to the latest stable 14.x release.

3. Update RSC-Enabled Bundlers and Plugins

Ensure you update:

  • Vite RSC plugin
  • Parcel RSC plugin
  • React Router RSC preview
  • RedwoodSDK
  • Waku

Each has released versions that include the fixed RSC implementation.

4. Validate With Aikido

After upgrading, run a scan to confirm that:

  • All vulnerable versions have been removed
  • No transitive dependencies remain affected
  • Framework and bundler integrations are fully patched

Background

CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React Server Components. It also affects the broader ecosystem of frameworks that rely on the React Flight protocol. Next.js has assigned CVE-2025-66478 to track its exposure, which stems from the same underlying issue.

The vulnerability allows specially crafted requests to trigger unsafe deserialization behavior within the server-side RSC implementation, which can lead to remote code execution under certain conditions. It affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as downstream integrations that embed these packages.

Deep Dive

Nature of the Vulnerability

The issue stems from unsafe handling of serialized payloads in the React Flight protocol. Malformed or adversarial payloads can influence server-side execution in unintended ways. Patched React versions include stricter validation and hardened deserialization behavior.

Why You May Be Affected Even Without Using Server Functions

Frameworks commonly embed the RSC implementation by default. An application can therefore be exposed even if it does not explicitly define Server Functions. The integration layer itself can invoke the vulnerable code path.

Affected Versions

React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable.
Next.js versions beginning at 14.3.0-canary.77, as well as all 15.x and 16.x releases prior to their patched versions, are affected due to their use of the RSC implementation.

Hosting Environment Notes

Vercel has implemented request-layer protections to reduce exposure while users upgrade, but these do not remediate the vulnerability. All users should update to patched versions as soon as possible.

Severity

CVE Score: 10.0 Critical
Impact: Remote code execution
Attack Vector: Remote and unauthenticated

Timeline

November 29: Vulnerability reported
November 30: Confirmation and fix development
December 1: Coordination with framework maintainers and hosting providers
December 3: Public patches released and CVE disclosed

Proof of Concept (Credit to @maple3142)

The following proof-of-concept video, originally published by @maple3142 on X, demonstrates how specially crafted multipart requests can exploit unsafe desreialization in affected React and Next.js versions. All credit to the original author.

Watch the full proof-of-concept video here.

The researcher demonstrated that by manipulating RSC’s deserialization logic, an attacker can control the Chunk.prototype.then resolution pathway, leading to execution of attacker-controlled logic during Blob deserialization. Full technical details are available in the original POC published on GitHub Gist by @maple3142.

Scan Your Codebase Now

Aikido tracks CVE-2025-55182 and CVE-2025-66478 across all supported ecosystems. Connect your repositories to perform a full scan and quickly assess your exposure. Start for free with Aikido here.

References

React Team. CVE-2025-55182 Disclosure
Vercel Security Notice on CVE-2025-55182 and CVE-2025-66478