High Threat Security Alert (A25-12-03): Multiple Vulnerabilities in React Server Components and Next.js


 

Published on: 04 December 2025

Description:

React and Next.js released a security advisory to address the recent threat activity affecting React Server Components and Next.js. The detailed information can be found at:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478

Reports indicated that the remote code execution vulnerabilities (CVE-2025-55182 and CVE-2025-66478) in React Server Components and Next.js were publicly disclosed. System administrators are strongly advised to take immediate mitigation actions for the affected systems, including upgrading the version of React Server Components and Next.js to the fixed versions, to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • React Server Components prior to version 19.0, 19.1.0, 19.1.1 and 19.2.0
  • Next.js prior to version 14.3.0-canary.77, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 and 16.0.7

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution on the affected system.

 

Recommendation:

Administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  • https://nextjs.org/blog/CVE-2025-66478
  • https://www.cve.org/CVERecord?id=CVE-2025-55182
  • https://www.cve.org/CVERecord?id=CVE-2025-66478


Tag: React
Tags