Date of Disclosure: Dec. 4, 2025
Overview
A critical Remote Code Execution (RCE) vulnerability, CVE-2025-55182 affecting React and CVE-2025-66478 affecting Next.js, was disclosed on Dec. 3, 2025 and poses a significant risk to affected organizations. This critical RCE vulnerability allows an unauthenticated attacker to craft a malicious HTTP request that leads to remote code execution on the server. Given the severity, organizations are strongly advised to identify and urgently apply the necessary patches to all vulnerable applications listed below.
Vulnerability Details
|
CVE ID |
Affected Product |
Patched release |
Description |
|---|---|---|---|
|
CVE-2025-55182 |
react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0 |
19.0.1, 19.1.2, and 19.2.1 |
A critical unauthenticated remote code execution (RCE) vulnerability in the react-server package used by React Server Components (RSC). |
|
CVE-2025-66478 |
Next.js: 14.3.0-canary, 15.x, and 16.x (App Router) |
14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
The corresponding RCE vulnerability in Next.js, which inherits the same underlying flaw through its implementation of the RSC “Flight” protocol. |
Vulnerability Impact
This flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.
Action Required: Urgent Patching
Synack strongly recommends that all customers take immediate action to mitigate the risk associated with these critical vulnerabilities.
- Identification:
Inventory all applications using React and Next.js. Specifically, identify the versions currently deployed to determine if they fall within the range of affected software. Refer to the official vendor advisories for specific version information: React Vendor Advisory
- Patching and Remediation:
Urgently apply the official patches or updates. Prioritize patching external-facing or mission-critical applications immediately.
- Synack Platform Support:
Synack customers can utilize their existing continuous security testing programs to assist with identifying exposed applications and/or verifying successful remediation.
- Launch a CVE Check: Customers can request a CVE check via the Synack Platform to specifically test for this exposure across their attack surface.
- Targeted Patch Verification: If these vulnerabilities are identified by the Synack Red Team, use the patch verification feature to confirm that the patches have been effectively applied.
Further Assistance
For questions regarding this advisory or assistance in prioritizing your patching efforts, please contact your Synack Customer Success Manager or reach out to the Synack Support team.
