What is a React Server Component?
React is a widely used open-source JavaScript library for building user interfaces (UIs). A React Server Component (RSC) is a type of React component designed to render on the server, either at build time or during a server-side request. This contrasts with traditional React components, now often referred to as Client Components, which primarily execute in the user's browser. Since RSCs run on the server, they can directly access server-side resources like databases or file systems without needing client-side API calls.
What is Next.js?
Next.js is an open-source React framework developed by Vercel and the open-source community that enhances and extends the capabilities of React for building production-ready web applications.
What is CVE-2025-55182?
CVE-2025-55182 is an unsafe-deserialization bug in React Server Components (including packages like react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack) that can allow unauthenticated remote code execution when a server deserializes attacker-controlled payloads because it doesn’t properly validate or constrain them. The CVE has been assigned a CVSS score of 10.0, the highest possible severity.
What is CVE-2025-66478?
CVE-2025-66478 is the closely related Next.js advisory tracking the same RSC issue when Next.js uses vulnerable React packages. Next.js rates the issue as critical (CVSS 10.0). Default configurations are vulnerable: a standard Next.js app created with create-next-app and built for production can be exploited with no code changes by the developer.
Why are these CVEs dangerous?
Both CVEs are extremely dangerous because they allow an attacker to trigger remote code execution on the server with no authentication, no credentials, and no special privileges. This means an attacker can send a single crafted request to a public React/Next.js server and potentially execute arbitrary code, steal environment variables, access internal networks, exfiltrate data, or fully compromise the application
Since React and Next.js power millions of websites and SaaS platforms, and the vulnerability affects default configurations used in many deployments, the attack surface is massive. With no authentication required, exploitation is trivial, making these CVEs some of the highest-severity web framework vulnerabilities in recent years.
Who is affected by the React and Next.js CVEs?
If you’re running any of the versions below and your server is exposed to the internet, you must patch immediately, rebuild and redeploy your apps, and enable WAF/edge rules until patching is complete:
- Vulnerable React releases: 19.0.0, 19.1.0, 19.1.1, 19.2.0 (react-server-dom-* packages) and the RSC packages listed in the React advisory.
- Vulnerable Next.js releases: 15.x, 16.x, and 14.3.0-canary.77 and later canary releases. More info in the Next.js advisory.
If your application does not use server components, server functions, or does not expose server endpoints to untrusted networks, your risk is lower, but you must still verify dependencies and patch if the packages are present.
How to patch
If you are running the affected versions, patch immediately to the fixed versions listed below. After upgrading, you must rebuild and redeploy your apps for the update to be complete.
- React (react-server-dom-*)
Fixed releases: React 19.0.1, 19.1.2, 19.2.1 (upgrade the react-server-dom-* packages to the fixed versions or update react/react-dom to the corresponding patched releases).
- Next.js
Patched Next.js releases (examples from the advisory): 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7. If you are on affected canary builds (e.g., 14.3.0-canary.77 or later), downgrade to the latest stable 14.x until you can upgrade to a patched release.
Note: Always check the official React advisory and Next.js advisory and your package manager for the absolute latest patch versions before you update.
If you cannot patch immediately
There can be valid reasons for not patching immediately. In those cases, take the following mitigating actions to temporarily reduce risk:
- Enable WAF/edge rules: many cloud providers created rules to detect/block exploit attempts (for example: Google Cloud Armor published a cve-canary WAF rule you can deploy as a temporary mitigation). Use preview/logging mode first to assess the impact. It’s important however, not to rely on WAF as a permanent fix.
- Hosting provider mitigations: Some hosts (Firebase Hosting, Vercel, and cloud vendors) rolled out temporary protections. Check your host’s security advisories and enable any recommended protections.
- Reduce exposure: If feasible, limit network exposure to server runtime endpoints (restrict access by IP, require authentication at the edge, or place the service behind API gateways) until you have a patched deployment.
- Important: Next.js advisory notes there is no configuration option to simply ‘turn off’ the vulnerable code path, so upgrading is required for a full fix.
How can Mondoo help?
The Mondoo vulnerability management platform can help you quickly address this risk by telling you whether you’re affected by the CVEs and whether the affected assets are exposed to the internet.
If you’re affected, Mondoo makes it easy to remediate the vulnerability. Each CVE includes detailed remediation steps and code snippets to fix the issue.
By clicking on ‘Take Action, you can create an ITSM ticket straight from the Mondoo platform, with support for many ticketing systems such as Jira, ServiceNow, Azure DevOps, Zendesk, GitHub issues, and GitLab. Platform engineers will then receive a ticket with all the required details on the asset, why it needs to be updated, and exactly how to do it.
After the fix has been applied, Mondoo will automatically verify if the fix was applied successfully.
Is the Mondoo platform affected?
No, the Mondoo platform is not affected by these CVEs.
Learn more about Mondoo
Mondoo eliminates - not just categorizes - vulnerabilities. Global enterprises trust Mondoo to prioritize risks by business impact and exploitability through its patented AI-native security model that collects structured, context-aware data from the entire IT infrastructure. Mondoo’s customers have reduced vulnerabilities and policy violations by 50% and significantly reduced MTTR. With seamless ITSM integrations and transparent security pipelines, Mondoo enables autonomous remediation and continuous compliance. Mondoo bridges the gap between security and engineering - delivering intelligent recommendations and actionable insights to fix vulnerabilities that matter most to the business.
Want to learn more? Schedule a demo today.
