Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a critical remote code execution vulnerability affecting applications that use the App Router, tracing the issue to the upstream React Server Components protocol as CVE-2025-55182 and the downstream Next.js impact as CVE-2025-66478. The flaw carries a CVSS 10.0 rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that no workaround exists. Affected releases include multiple 15.x and 16.x branches and 14.3.0-canary.77 and later canary builds, while 13.x, stable 14.x, Pages Router applications, and the Edge Runtime were reported as unaffected. Next.js issued patched releases, published the fix-react2shell-next npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to rotate secrets after patching.
The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: CVE-2025-55184, a high-severity denial-of-service flaw that can hang the server process through a crafted HTTP request, and CVE-2025-55183, a medium-severity source code exposure bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for CVE-2025-55184 was incomplete and was superseded by CVE-2025-67779, forcing some users to upgrade again. The affected range spans App Router deployments from 13.3 across several 14.x, 15.x, and 16.x release lines, and the vendor again said Pages Router applications are not affected and urged immediate upgrades to the latest patched versions.
Timeline
Dec 11, 2025
Next.js says initial DoS fix was incomplete and issues follow-up fix
Next.js reported that the initial fix for CVE-2025-55184 was incomplete and that a complete fix was later released as CVE-2025-67779, requiring some users to upgrade again. The company also said the earlier React2Shell patch remained effective and that no workaround was available.
Dec 11, 2025
Next.js discloses two additional App Router vulnerabilities
On December 11, Next.js disclosed downstream impact from two newly identified upstream React Server Components flaws: CVE-2025-55184, a high-severity denial-of-service issue, and CVE-2025-55183, a medium-severity source code exposure issue. Pages Router applications were stated to be unaffected.
Dec 10, 2025
Trend Micro reports widespread React2Shell exploitation and named campaigns
Trend Micro said CVE-2025-55182 was being exploited in the wild and that it had observed nearly 145 proof-of-concept exploits. The company identified campaigns including emerald and nuts delivering payloads such as Cobalt Strike via Cross C2, Nezha, FRP, Sliver, and Secret-Hunter, and published additional exploit-chain details.
Dec 5, 2025
Microsoft reports hundreds of React2Shell compromises across organizations
Microsoft said it observed exploitation of CVE-2025-55182 as early as December 5, 2025, with several hundred compromised machines across diverse organizations. The company described post-exploitation activity including Cobalt Strike, MeshAgent persistence, Cloudflare Tunnel abuse, credential theft, and malware such as VShell, EtherRAT, SNOWLIGHT, ShadowPAD, and XMRig.
Dec 5, 2025
Sysdig reports EtherRAT implant in React2Shell compromise
Sysdig said it recovered a novel Linux implant named EtherRAT on December 5 from a compromised Next.js application exploited via CVE-2025-55182. The report described a multi-stage attack chain using Ethereum smart contracts for C2 resolution and assessed tradecraft overlap with DPRK-linked Contagious Interview activity, though attribution remained unconfirmed.
Dec 4, 2025
Next.js sets secret-rotation guidance for exposed unpatched apps
Next.js advised that applications which were online and unpatched as of 2025-12-04 at 1:00 PM PT should rotate secrets after patching, reflecting potential exposure from the RCE issue.
Dec 3, 2025
Vercel deploys WAF protections and blocks vulnerable Next.js deployments
In response to CVE-2025-55184 and CVE-2025-55183, Vercel said it deployed protective WAF rules for hosted projects and prevented new deployments of vulnerable Next.js versions. The company stressed these measures were only interim mitigations and that users still needed to upgrade to patched releases.
Dec 3, 2025
Next.js releases patches and remediation tool for CVE-2025-66478
Patched releases were issued across multiple 15.x and 16.x branches, along with canary builds, and Next.js also released the npm remediation tool fix-react2shell-next to help users identify and upgrade affected installations.
Dec 3, 2025
Next.js publishes advisory for critical App Router RCE vulnerability
Next.js disclosed CVE-2025-66478, a critical CVSS 10.0 remote code execution flaw affecting App Router applications in vulnerable 14.3.0-canary, 15.x, and 16.x release lines. The company said there was no workaround and urged immediate upgrades.
Dec 3, 2025
Researcher responsibly discloses React Server Components RCE issue
Next.js credited Lachlan Davidson with responsibly disclosing a critical React Server Components protocol vulnerability that was tracked upstream as CVE-2025-55182 and downstream for Next.js as CVE-2025-66478.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
2 more from sources like vercel kb and nextjs blog
Related Stories
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
1 months ago
Critical React Server Components RCE Hits Next.js and Related Ecosystem
A critical remote code execution vulnerability in React Server Components-related packages is affecting widely used parts of the React ecosystem, including deployments tied to **Next.js**, **React Router**, **Expo**, **Redwood SDK**, **Waku**, and `@vitejs/plugin-rsc`. The flaw allows an unauthenticated attacker to execute arbitrary code on a vulnerable system through an HTTP request. Affected versions include `19.0`, `19.1.0`, `19.1.1`, and `19.2.0` of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, while patched releases are `19.0.1`, `19.1.2`, and `19.2.1`. Authorities warned that exploitation is already active in Finland and that public exploit methods are available, increasing the likelihood of rapid opportunistic attacks against exposed applications. Officials said attackers may use the vulnerability not only for visible abuse such as cryptomining but also to establish persistent access, and urged organizations to patch immediately and assess internet-exposed systems for signs of compromise.
1 weeks ago
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Security researchers have identified three new vulnerabilities in React Server Components (RSC) following the recent patch for the critical React2Shell exploit. These flaws include two high-severity Denial-of-Service (DoS) vulnerabilities (CVE-2025-55184 and CVE-2025-67779) and a medium-severity Source Code Exposure vulnerability (CVE-2025-55183). The DoS vulnerabilities allow attackers to send malicious HTTP requests to Server Function endpoints, triggering infinite loops that hang the server and exhaust CPU resources, effectively taking applications offline. The source code exposure flaw enables attackers to craft HTTP requests that can leak the source code of server functions, potentially exposing hardcoded secrets or sensitive logic, though runtime secrets remain protected. The affected packages are `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`, impacting React versions 19.0.0 through 19.2.2 and frameworks such as Next.js, Waku, and React Router. Initial patches released for these vulnerabilities were incomplete, necessitating immediate upgrades to versions 19.0.3, 19.1.4, and 19.2.3 to ensure full protection. The vulnerabilities were discovered by security researchers during attempts to bypass previous mitigations, highlighting the importance of rapid patch adoption and ongoing scrutiny of critical code paths after major disclosures. Users are strongly advised to update affected packages and monitor official channels for further security updates.
1 months ago