Post by Uptycs MDR Team
Contributed by: Nandakumar KJ & Nageswra Rao C
Technical Details:
A critical vulnerability has been discovered in the React Server Components (RSC) 'Flight' protocol, impacting on the React 19 ecosystem and the frameworks built on top of it most notably Next.js. Tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js, this vulnerability enables unauthenticated remote code execution (RCE) on the server due to insecure deserialization. Because the vulnerability is present in default configurations, typical deployments are exposed immediately. Given its critical nature and ease of exploitation, immediate patching is required.
CVE-2025-55182
CVE-2025-55182 is an insecure deserialization flaw within RSC. A remote, unauthenticated attacker could take advantage of the issue by sending a maliciously crafted payload to a susceptible React Server Function endpoint. If the attack succeeds, it could lead to remote code execution on the server.
CVE-2025-66478
CVE-2025-66478 is the RCE vulnerability in Next.js, which inherits the same underlying vulnerability through its implementation of the RSC "Flight" protocol.
Which products are affected?
|
Vulnerable Product |
Patch Released |
|
react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 |
19.0.1, 19.1.2, and 19.2.1 |
|
Next.js 14.3.0-canary.77 and later canary releases, Next.js 15.x, Next.js 16.x (App Router) |
The vulnerability is fully resolved in the following patched Next.js releases:
If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release |
Uptycs Coverage for these vulnerabilities:
We have coverage for these vulnerabilities CVE-2025-55182 and CVE-2025-66478. Please click on the Vulnerabilities section on the left pane and search (use the Addfilter option to add the filter for the specific CVE) for the CVE to identify the Vulnerable resources.
Additionally, using below SQL, you can list the affected packages and hosts.
SQL
select * from npm_packages where
(name='next' and (version like '15.%' or version like '16.%' or version like '14.3.0-canary.%') and version not in ('15.0.5','15.1.9','15.2.6','15.3.6','15.4.8' ,'15.5.7','16.0.7','14.3.0-canary.88')) or (name in ('react-server-dom-parcel' , 'react-server-dom-webpack' ,'react-server-dom-turbopack') and version in ('19.0' , '19.1.0' , '19.1.1' , '19.2.0')) and upt_day>=20251203
Mitigation Guidance:
- Update React and its related packages to the secured versions listed above. This is the only reliable fix.
- If you are using other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.
Reference:
- Critical Security Vulnerability in React Server Components (react.dev)
- Security Advisory: CVE-2025-66478 (NEXT.js)
React Discloses Three New Vulnerabilities Affecting Application Stability and Code Security
The React team has announced three newly-discovered vulnerabilities—two classified as High Severity Denial-of-Service (DoS) issues and one Medium Severity Source Code Exposure flaw. These vulnerabilities impact applications built using affected React versions and require immediate review from engineering and security teams.
To know if you are impacted by the new CVES, check for vulnerable assets in the Vulnerabilities Dashboard. Use the Filter to search for the three vulnerabilities.
Vulnerability Details
1. DoS Vulnerabilities (CVE-2025-55184 & CVE-2025-67779 — CVSS 7.5)
These two DoS vulnerabilities originate from improper handling of malformed component trees and uncontrolled resource consumption during server-side rendering (SSR). It can lead to application hangs, degraded performance, or complete service unavailability, particularly in SSR environments or heavily dynamic UI flows. Because no code execution is involved, the impact is availability-driven. CVE-2025-67779 was added because the earlier fix for CVE-2025-55184 was incomplete for certain patched releases.
2. Source Code Exposure (CVE-2025-55183 — CVSS 5.3)
This vulnerability allows unintended exposure of source code or JSX components due to a flaw in React’s internal error serialization logic. Although exploitation requires specific configuration conditions, the risk is non-trivial for production systems that rely on custom error boundaries or logging middleware.
These three vulnerabilities affect the same React Server Components packages that were impacted by earlier RSC issues:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Uptycs Vulnerability Detection Signatures
Uptycs Vulnerability Threat Indicators for detecting the three CVEs.
Use this query to explicitly list the workloads with affected react packages.
Recommended Actions
- Upgrade React to the patched (19.0.3, 19.1.4, and 19.2.3) versions immediately.
- Review SSR configurations, error boundaries, and debugging middleware.
- Ensure production builds strip non-essential debugging information.
- Implement rate-limiting and request validation to mitigate DoS attack vectors.
These vulnerabilities highlight the need for continuous dependency monitoring as modern UI frameworks increasingly play a central role in application security posture.
%20patch%20using%20osquery%20ALT%20(1).jpg?width=352&name=Remote%20Desktop%20Vulnerabilities_%20Identifying%20the%20exposure%20and%20the(Blog)%20patch%20using%20osquery%20ALT%20(1).jpg)
