Developers urged to immediately upgrade React, Next.js

Developers using the React 19 library for building application interfaces are urged to immediately upgrade to the latest version because of a critical vulnerability that can be easily exploited by an attacker to remotely run their own code.

Researchers at Wiz said Wednesday that a vulnerability in the React Server Components (RSC) Flight protocol affects the React 19 ecosystem, as well as frameworks that implement it. In particular, that means Next.js, a popular full stack development framework built on top of React, which received a separate CVE. 

RSC Flight protocol powers communication between the client and server for React Server Components, sending serialized component trees over the wire from the server to the client.

“The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk,” says the warning. “Due to the high severity and the ease of exploitation, immediate patching is required,” 

“Our exploitation tests show that a standard Next.js application created via create-next-app and built for production is vulnerable without any specific code modifications by the developer,” Wiz also warns.

The problem in React’s server package, designated CVE-2025-55182, is a logical deserialization vulnerability allowing the server to processes RSC payloads in an unsafe way. When a server receives a specially crafted, malformed payload, say Wiz researchers, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.

“In simple terms,” Wiz said in response to questions, “the server takes input from a user, trusts it too much, and processes it into code-like objects which attackers can exploit to run commands or leak sensitive information.”

Affected are React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The fix is to upgrade to the latest version of React.

While the vulnerability affects all development frameworks using vulnerable versions of React, the problem in Next.js is specifically identified as CVE-2025-66478.

Affected are Next.js 15.x and 16.x using the App Router. Again, the fix is to upgrade to the latest version of Next.js.

React’s blog provides detailed upgrade instructions for both React and Next.js.

‘Serious vulnerability’

“The configuration needed for these vulnerabilities to function is extremely common,” Wiz said in response to questions, “and disabling the functionality needed to block them is very rare. In fact, we failed to find any such case.”

Wiz says 39% of cloud environments are currently using Next.js and other web frameworks based on React. 

Johannes Ullrich, dean of research at the SANS Institute, told InfoWorld that RSC is widely used, particularly when the Next.js framework, which implements RSC by default, is employed.

“This is a very serious vulnerability,” he said in an email. “I expect public exploits to surface within a day or so, and applications must be patched quickly. Some web application firewall vendors, such as Cloudflare, have already implemented rules to protect applications from potential exploits. But even web applications protected by these systems should be patched, in case attackers find ways to bypass these protection mechanisms.”

To exploit the React vulnerability, all a threat actor would need to do is send a specially crafted HTTP request to the server endpoint. For security reasons, Wiz researchers didn’t detail how this could be done. But, they said, in similar vulnerabilities, attackers leverage remote code execution on servers to download and execute sophisticated trojans on the server, usually a known C2 framework like sliver, but in some cases, a more custom payload. “The main point,” the researchers said, “is that with an RCE like this, an attacker can practically do anything.”

CISOs and developers need to treat these two vulnerabilities as “more than critical,” said Tanya Janca, a Canadian-based secure coding trainer. In fact, she said in an email, they should be treated in the same way that infosec pros treated the Log4j vulnerability, and scour all applications. “There could not be a more serious security flaw in a web application than this,” she said, “even if it is not known to be exploited in the wild yet.”

Advice for CSOs, developers

Janca said developers should:

• make a list of all apps using React or Next.js;
• check if they use any of the known vulnerable versions: React: 19.0 / 19.1.0 / 19.1.1 / 19.2.0, and Next.js: 14.3.0-canary.77 and later canary releases, 15.x/16.x
  if so, upgrade to a safe version:
  • React: 19.0.1, 19.1.2, 19.2.1 or better
  • Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or later; if on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release;
• scan with a software composition analysis tool to see if the vulnerable versions are used in unexpected places;
• if, for some reason, they can’t be upgraded, assume those apps are unsafe and turn them off if possible. If they can’t be disabled, treat them like a bomb went off and put a network firewall around them, monitor them and work with the security team on it;
• infosec pros should read app logs and look for strange behavior;
• keep the security team informed;

Most importantly, she said, treat this as an emergency.

This article originally appeared on InfoWorld.