React and Next.js found vulnerable to remote code execution (CVE-2025-55182 and CVE-2025-66478)
Overview
A critical vulnerability in React and Next.js allows attackers to execute code on vulnerable servers without any authentication, potentially exposing millions of applications to immediate risk.
React is one of the most popular JavaScript libraries for building user interfaces, created by Facebook (Meta), with over 1.97 billion total downloads.
Discovered today (Wednesday), this vulnerability affects the React and Next.js ecosystems, which power over 10 million active websites globally, including major platforms built with React such as Instagram, Netflix and Airbnb that serve billions of users daily.
With React downloaded over 20 million times weekly, new vulnerable applications are being deployed continuously. The potential exposure is massive – spanning e-commerce platforms, financial services, healthcare applications, and enterprise systems worldwide.
What we know
React (CVE-2025-55182) & Next.js (CVE-2025-66478) contain a critical RCE (Remote Code Execution) vulnerability, enabling the attacker to execute arbitrary, privileged JavaScript code on the vulnerable server. While the core issue stems from the React vulnerability, the Next.js vulnerability exists only because it directly used a vulnerable version of the React framework.
The attack doesn’t require any kind of authentication from the attacker or a valid running session for the RCE to work.
Who is affected
Any server running the unpatched version of React or Next.js, or any package based on a vulnerable React component.
By using Shodan, we found that there are over 571,249 public servers using React components, and 444,043 using Next.js. While we don’t know the versions of each of those servers, it would be safe to assume that even if a small number of them are inside the vulnerable versions range, the impact is on a high scale and should be addressed immediately.
Potential damage
Since this issue impacts any server online running React or Next.js, which are highly popular JavaScript based packages, this means that attackers could now scan and directly exploit those servers. This potentially could harm millions of servers around the world causing information leakage, secret extraction and more.
Affected Packages
| Package name | Affected versions |
| React | 19.0, 19.1, 19.2 |
| Next.js | 14.3.0-canary, 15.x, and 16.x (App Router) |
| Package name | Patched versions |
| React | 19.0.1, 19.1.2, and 19.2.1 |
| Next.js | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Recommended Actions
Immediate Actions:
- Check your React and Next.js versions, if they are on the list of vulnerable versions, update them immediately.
- Do this first for business critical applications, mostly internet facing, and holding valuable data such as company secrets and user information.
OX Product:
On the main OX Dashboard page, the upper banner provides quick access to SBOM page with filtered libraries and relevant versions (if exist) of the recent reported incident:
Technical Analysis
React analysis
React Server Components (RSC) is a feature in React that allows components to run on the server instead of the client (browser). This enables better performance to do the heavy lifting on the server instead of on the client.
The way it works is that server components are rendered on the server and sent serialized to the client.
This RSC relies on a protocol called React Flight for data serialization and communication between server and client.
React Flight is the underlying protocol that handles the serialization, deserialization and streaming of data in RSC.
There are two important flows we will touch before diving into the vulnerability:
- Server-to-Client (Standard Flow): The server serializes RSC data into small data packets and streams them to the client. The client deserializes and renders it, which enables fast loads without shipping a lot of JavaScript code to the browser.
- Client-to-Server (Reply Flow): But for interactivity, the client is capable of serializing data back to the server, the server deserializes it to process requests.
A pre-authentication remote code execution vulnerability exists in React Server Components due to unsafe deserialization of React Flight reply payloads on the server. This affects the following packages:
- react-server-dom-parcel
- react-server-dom-turbopack
- react-server-dom-webpack
The vulnerability occurs in the Client → Server (Reply Flow), where the server deserializes Flight-encoded data sent to Server Function (Server Actions) endpoints. The deserialization logic previously resolved module exports using dynamically supplied metadata without validating property ownership.
The vulnerability allowed attackers to interfere with server-side modules and function resolution. When exploitable, this could lead to unauthenticated remote code execution on the server.
The patch introduces strict ownership verification using hasOwnProperty, validates module references, and adds defensive stream termination logic to prevent continued processing of corrupted or malicious payloads.
Next.js analysis
Next.js is a powerful open-source JavaScript framework designed to build modern, high-performance web applications.
Next.js doesn’t contain a distinct vulnerability in this context, even though it had a CVE issued together with React, as we can see in one of the fix versions for example – Next.js updated their own React core code to be using the latest patched version of react instead of the unpatched version.
If we look at one of the commits, inside packages/next/src/compiled/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js, we can see that the fix only includes the change of the internal react code.
Source: https://github.com/vercel/next.js/commit/bed530f7294241b9f92aa2ee5abc50a92e97b7fe
Aside from being only a fix to update the React core version, the CVE was determined to be a clone of the React one, and was rejected by NVD – as no code fixes were needed for the Next.js package, only an update for the React version used by Next.js.
Source: https://nvd.nist.gov/vuln/detail/CVE-2025-66478
Affected Packages
| Package name | Affected versions |
| React | 19.0, 19.1, 19.2 |
| Next.js | 14.3.0-canary, 15.x, and 16.x (App Router) |
| Package name | Patched versions |
| React | 19.0.1, 19.1.2, and 19.2.1 |
| Next.js | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Conclusion
Critical vulnerabilities were found inside the React ecosystem and the Next.js package, allowing attackers to run arbitrary code on servers running them, while Next.js is one example, more packages using React might be affected as well.
How to protect your organization
For React
- If running React 18.x or below: You are not affected
- If running React 19.0, 19.1, or 19.2: Update immediately to 19.0.1, 19.1.2, or 19.2.1 respectively
For Next.js
- Check your version and update to the corresponding patched version shown in the table above
