By ByteBot
Meta and Vercel disclosed critical CVE-2025-55182 and CVE-2025-66478 on December 3, 2025—both rated CVSS 10.0 (maximum severity). The vulnerabilities allow unauthenticated remote code execution in React Server Components and Next.js. The alarming part: 39% of cloud environments contain vulnerable instances according to Wiz Research, and default configurations created with create-next-app are exploitable with zero developer code changes. React 19.0-19.2.0 and Next.js 14.3.0-canary through 16.x are affected. Patches are available immediately, but security experts warn “exploitation is imminent.”
This isn’t theoretical. If you use React 19 or Next.js 15/16 with App Router, your servers are vulnerable to full remote code execution right now. No developer mistakes required—the framework itself shipped with the flaw.
Default Configurations Are Vulnerable (No Developer Error Required)
Here’s the part that should terrify every React developer: a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by developers. This is a framework-level security flaw in the React Server Components “Flight” protocol deserialization logic, not a developer implementation mistake.
Wiz Research confirms: “Default configurations are vulnerable—a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.” Exploitation has a near-100% success rate in testing. This affects the LATEST versions of React—19.x is the current release, not legacy code. With 968,000+ servers potentially affected, this represents a systemic “insecure by default” failure.
Most vulnerabilities require developer errors: SQL injection from poor input validation, XSS from missing sanitization. This one doesn’t. Following official best practices and using official tooling still results in vulnerable apps. That’s not a bug—that’s a design failure.
Timeline: 4-Day Responsible Disclosure (But Questions Remain)
Lachlan Davidson, a security researcher at Carapace, reported CVE-2025-55182 via Meta Bug Bounty on November 29. Meta confirmed it November 30, created a fix December 1, coordinated with hosting providers (Cloudflare, Google, AWS, Vercel, Firebase), and published patches plus public disclosure December 3. Four days from report to fix represents exemplary responsible disclosure.
However, the timeline raises an uncomfortable question: how did a CVSS 10.0 flaw ship in React 19’s stable release in October 2024? React Server Components represent a major architectural shift—server-first rendering with an entirely new serialization protocol. Yet this insecure deserialization vulnerability went undetected for two months after the stable launch. That suggests security review gaps in the “move fast” culture that should concern anyone adopting bleeding-edge frameworks.
Who’s Affected and How to Patch CVE-2025-55182
Vulnerable versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0, plus Next.js 14.3.0-canary.77 through all 15.x and 16.x versions using the App Router. Additional affected frameworks include React Router, Waku, Parcel RSC, Vite RSC plugin, and RedwoodJS—any framework using react-server-dom packages.
You’re safe if you use React 18.x or earlier (no RSC support), Next.js 13.x stable or earlier, or only use the Next.js Pages Router. Edge Runtime deployments are also safe—only the Node.js runtime is vulnerable.
Patched versions are available now: React 19.0.1, 19.1.2, and 19.2.1, plus Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. The Next.js advisory is clear: “There is no configuration option to disable the vulnerable code path.” You must patch or accept full RCE risk.
npm update react react-dom next
npm list react react-dom next # Verify versions
npm run build # Rebuild and deploy ASAPMajor hosting providers deployed WAF protections automatically. Cloudflare WAF protects all customers (free and paid) as long as React traffic is proxied through Cloudflare. Google Cloud Armor offers a cve-canary preconfigured rule. AWS WAF deployed managed rule updates. Firebase Hosting and App Hosting enforce automatic rule mitigation. These are temporary shields—patching is the only real fix.
The Bigger Question: Why Did This Ship?
This vulnerability represents a systemic security design failure in the RSC protocol that went undetected until two months after React 19’s stable launch. The flaw isn’t an implementation bug—it’s a logical deserialization vulnerability in the protocol design itself. That distinction matters.
React 19 launched in October 2024 as “stable.” CVE-2025-55182 was discovered November 29, 2025. The Register warns “exploitation is imminent.” Tenable nicknamed it “React2Shell” to emphasize the remote shell access impact. Security researchers are asking the obvious question: did the RSC protocol get adequate security review before the stable release?
This incident will become a case study in “move fast, break things” trade-offs. RSC is a valuable feature—server-first rendering solves real problems. But shipping it as “stable” without catching a CVSS 10.0 flaw exposes millions of developers to untested code disguised as production-ready. The 39% prevalence shows how quickly insecure-by-default code spreads when developers trust the “stable” label.
Key Takeaways
- Patch immediately: CVSS 10.0 is a “drop everything” priority with exploitation imminent
- Default configs vulnerable: No developer mistakes required—create-next-app generates exploitable apps
- 39% of cloud environments affected: 968,000+ servers potentially vulnerable right now
- Fast disclosure timeline: 4 days from report to patch shows coordinated response
- Enable WAF protections: Cloudflare, Google Cloud Armor, AWS WAF offer temporary mitigation
- Systemic framework flaw: This isn’t an isolated incident—it’s a security design failure that shipped as “stable”
Meta’s official statement is blunt: “An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.” That’s as bad as it gets. Update now.
