CVE-2025-66478

Published Dec 3, 2025

Last updated 2 days ago

React
Next.js
react2shell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-66478 is a critical vulnerability affecting Next.js applications that use the App Router. This vulnerability, along with CVE-2025-55182 which affects React, allows for unauthenticated remote code execution (RCE). The flaw stems from insecure deserialization within the React Server Components (RSC) "Flight" protocol. Exploitation is possible through a crafted HTTP request, even in default configurations of Next.js applications created with `create-next-app`. Patched versions of React (19.0.1, 19.1.2, and 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7) are available and users are advised to upgrade immediately. Fastly has also released a Virtual Patch for their NGWAF to help mitigate exploitation attempts.

Description
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
Source
security-advisories@github.com
NVD status
Rejected

Insights

Analysis from the Intruder Security Team
Published Dec 4, 2025 Updated Dec 4, 2025

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

We have identified a large number of false or fake proof-of-concepts online which has driven a bit of misinformation regarding this vulnerability, as confirmed on the original researcher's site. We have also witnessed exploitation activity for this vulnerability as researchers and threat actors reverse engineer the patches to find a working exploit.

AssetNote have released a technical research post overnight which outlines the vulnerability and a method of detecting its presence.

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

75

  1. 🚨 Critical vulnerabilities (CVE-2025-55182, CVE-2025-66478) uncovered in React Server Components & Next.js! Threat actors could gain unauthorized data access & more. Developers, assess your systems ASAP! #React #Nextjs https://t.co/lqOVGnC4YI

    @xcybersecnews

    5 Dec 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. React2Shell CVE-2025-55182, CVE-2025-66478 RCE実行可能になるなかなかエグい脆弱性だ。 偽のPoCが出回ってるそうなので注意。 https://t.co/oakAyf018D

    @tomtwinklestar

    4 Dec 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. We review two vulnerabilities affecting React (CVE-2025-55182) and Next.js (CVE-2025-66478), both with a CVSS score of 10.0. These vulns, in the React Server Components (RSC) Flight protocol, allow unauthenticated attackers to execute arbitrary code. https://t.co/JfOS15kpkC https

    @Unit42_Intel

    4 Dec 2025

    7639 Impressions

    28 Retweets

    72 Likes

    27 Bookmarks

    0 Replies

    1 Quote

  4. CVE-2025-55182 affects the core React library AND downstream frameworks. Next.js CVE was tracked separately under CVE-2025-66478, but has since been rejected as a duplicate: https://t.co/OBqoBqgy1U

    @MartinZugec

    4 Dec 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Critical Next.js vulnerability (CVE-2025-66478) — CVSS 10.0 If you're using App Router with Next.js 15 or 16, update immediately. Unauthenticated RCE via a single HTTP request. Patched versions: 16.0.7, 15.5.7, 15.4.8, and more. https://t.co/ITb78RWSoj

    @southwellmedia

    4 Dec 2025

    80 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Next.js / Reactの脆弱性 (CVE-2025-55182 / CVE-2025-66478)、Difyがもろに影響受けるバージョンを使っていた。自社開発のNext.js環境は日中にアップデートしていたけど、セルフホストDifyを完全に忘れていた...。慌てて家か

    @Gould0100

    4 Dec 2025

    488 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. React2Shell CVE-2025-55182 CVE-2025-66478 is kind of a bad name cause you can still do other bad things - the shell just makes it super easy to do ultra bad things which is precisely why we don't have shells or the ability to run other programs in the nanos unikernel

    @nanovms

    4 Dec 2025

    362 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. FOFA dorks for react2shell (CVE-2025-55182 & CVE-2025-66478) - "Vary: RSC" Or you can search for specific targets host="https://t.co/YCJEfR4ka6" && "Vary: RSC"

    @rahmaniesfinest

    4 Dec 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Built a vulnerable React/Next.js lab for testing the #React2Shell bugs (CVE-2025-55182 & CVE-2025-66478). Everything ships in Docker containers.. use it 4fun https://t.co/d8KyqsO9St https://t.co/3RSbXTFgnP

    @jctommasi

    4 Dec 2025

    988 Impressions

    0 Retweets

    4 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  10. This week two massive CVEs affecting React and Next.js were released, with massive repercussions. CVE-2025-55182 and CVE-2025-66478 are critical unauthenticated RCE vulnerabilities affecting even default configurations. After the CVE was announced, we've begun working on a http

    @ethiack

    4 Dec 2025

    2847 Impressions

    5 Retweets

    18 Likes

    5 Bookmarks

    0 Replies

    1 Quote

  11. 安全公司 Wiz 披露 React Server Components (RSC) 的 “Flight” 协议中出现严重远程代码执行漏洞 影响 React 19 及以其为基础的框架 主要包括 Next.js 两项漏洞编号为 CVE-2025-55182(React)与 CVE-2025-66478(Next.js) 攻击者仅需发

    @SilverBullet808

    4 Dec 2025

    192 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 神鱼:风险提醒 暂停defi交互的一天 React 19 / Next.js App Router 刚披露了一个 CVSS 10.0 的 RCE(CVE-2025-55182 / CVE-2025-66478),会影响基于 React Server Components 的 Next.js 应用。 不少dapp 前端确认是 Next.js, https://t.co/j0zaujbDvx

    @zichuan_x

    4 Dec 2025

    699 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    3 Replies

    0 Quotes

  13. A new maximum-severity vulnerability (CVE-2025-55182 and CVE-2025-66478) has been disclosed in React Server Components (RSC) and Next.js, allowing attackers to execute arbitrary code on servers without authentication. The flaw, known as React2shell, stems from unsafe https://t.co

    @FORTBRIDGE

    4 Dec 2025

    472 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. Dealing with bug bounty reports for CVE-2025-66478 at the program that I manage in high numbers without actual POC is amusing. Congrats you managed to identify our apps running on next.JS here is your $15k.

    @_jensec

    4 Dec 2025

    12698 Impressions

    10 Retweets

    226 Likes

    36 Bookmarks

    7 Replies

    0 Quotes

  15. CVE-2025-55182(CVSS 10.0) && CVE-2025-66478(CVSS 10.0) : Catastrophic React Flaw allows Unauthenticated RCE on Next.js and React Server Components. POC: https://t.co/cFkfMurXM2 #react #reactjs #cybersecurity #appsec #secops https://t.co/BcR0YeKz8k

    @IamGokulesh

    4 Dec 2025

    630 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. Critical RCE vulnerability (CVE-2025-66478, CVSS 10.0) in React Server Components (RSC) affects Next.js App Router 15.x & 16.x. Action: Upgrade immediately to patched versions (e.g., 15.0.5, 16.0.7) to prevent remote code execution. Full advisory: https://t.co/OOIaTCm3I4 #Ne

    @Uncle_Roaster

    4 Dec 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. React2Shell (CVE-2025-55182/CVE-2025-66478) 「本物の PoC ではない「概念実証」が急速に広まる傾向が見られます。」「私たちは、これらのPoCが…誤検知につながる可能性や、…備えが不十分になる可能性を懸念していま

    @hogehuga

    4 Dec 2025

    5001 Impressions

    4 Retweets

    31 Likes

    15 Bookmarks

    0 Replies

    0 Quotes

  18. React2Shell (CVE-2025-55182/CVE-2025-66478) https://t.co/Ms2KpI1ls6

    @akaclandestine

    4 Dec 2025

    2147 Impressions

    4 Retweets

    18 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  19. High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478) https://t.co/ODaaSsB9nO https://t.co/sb6pBdoPeJ

    @secharvesterx

    4 Dec 2025

    536 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  20. if you use next.js be aware of this security advisory CVE-2025-66478 affecting the following versions: > next.js 15.x > next.js 16.x > next.js 14.3.0-canary.77 and later canary releases for my @solsticefi tools we are safu, no action required, project is safe from thi

    @thebbz

    4 Dec 2025

    219 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. The CVE-2025-55182 / CVE-2025-66478 React Remote code execution is real - and easy to exploit once a vulnerable version is detected. Patch ASAP! https://t.co/R8ZIstZiTx We were able to recreate & run the PoC: https://t.co/zhSED5JqRX

    @Monethic_io

    4 Dec 2025

    3932 Impressions

    2 Retweets

    10 Likes

    5 Bookmarks

    1 Reply

    1 Quote

  22. CRITICAL VULN: CVE-2025-55182 / CVE-2025-66478 in React/Next.js framework. Malicious code is executed. Risk: $>968,000$ servers exposed. Wiz 39% of cloud environments affected Patch immediately. If you can't, deploy WAF rules Patch ASAP. #CybersrityNews #ReactJS #NextJS ht

    @tues_lartey

    4 Dec 2025

    167 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  23. ⚠️Security Advisory: CVE-2025-66478 | Next.js Impact The vulnerable RSC protocol allowed untrusted inputs to influence server-side execution behavior. Under specific conditions, an attacker could craft requests that trigger unintended server execution paths. This can result

    @dlt_green

    4 Dec 2025

    423 Impressions

    1 Retweet

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Next.js devs: Critical CVE-2025-66478 in React Server Components exposes your app to attacks—upgrade ASAP!​ Why urgent? Remote Code Execution: Attackers run arbitrary code on your server via unauthenticated requests (CVSS 10.0).​ Hits App Router by Default: Affects Next.js

    @tech_maddy

    4 Dec 2025

    192 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. Our Security Research team at @SLCyberSec published a high-fidelity detection mechanism for the Next.js/RSC RCE (CVE-2025-55182 & CVE-2025-66478) - https://t.co/D7JQz2CeDN. There are a lot (!) of PoCs on GitHub that are adding noise to the problem 👇

    @ITSecurityguard

    4 Dec 2025

    5836 Impressions

    8 Retweets

    74 Likes

    20 Bookmarks

    1 Reply

    0 Quotes

  26. 📢 𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐑𝐂𝐄 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 𝐃𝐢𝐬𝐜𝐨𝐯𝐞𝐫𝐞𝐝 𝐢𝐧 𝐑𝐞𝐚𝐜𝐭 & 𝐍𝐞𝐱𝐭.𝐣𝐬 • CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are cri

    @PurpleOps_io

    4 Dec 2025

    186 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Our security research team created a high fidelity check for the Next.js/RSC RCE (CVE-2025-55182 & CVE-2025-66478). Read more on our blog here: https://t.co/MO5Lw1ZBLK

    @assetnote

    4 Dec 2025

    15569 Impressions

    42 Retweets

    185 Likes

    66 Bookmarks

    2 Replies

    1 Quote

  28. Our Security Research team at @SLCyberSec just published a high-fidelity detection mechanism for the Next.js/RSC RCE (CVE-2025-55182 & CVE-2025-66478) - https://t.co/aa62OKXpK2. There are a lot of PoCs on GitHub that are adding noise to the problem; I hope this helps people!

    @infosec_au

    4 Dec 2025

    32726 Impressions

    81 Retweets

    295 Likes

    150 Bookmarks

    5 Replies

    2 Quotes

  29. Email from vercel A critical vulnerability in React Server Components (CVE-2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). If you are using Next.js,every version between Next.js 15 and 16 is affected

    @lukaslookalike

    4 Dec 2025

    900 Impressions

    3 Retweets

    17 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  30. 😱 React2Shell (CVE-2025-55182/CVE-2025-66478) サーバサイドReactのアプリケーションが対象で、認証不要、リモートからのコード実行(RCE: Remote Code Execution)」の脆弱性。攻撃者が悪意ある入力を送ることで、サーバー

    @syamgot

    4 Dec 2025

    631 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  31. React2Shell (CVE-2025-55182/CVE-2025-66478) https://t.co/jjndbOA5Bb "Important update: A note on invalid PoCs" の項目が増えてた

    @whywaita

    4 Dec 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. https://t.co/USMRolkPpY React Server Bileşenlerinde Kritik Güvenlik Açığı: CVE-2025-55182 (Next.js: CVE-2025-66478) Aralık 2025’te açıklanan versiyonlarda, RSC mimarisinin ne kadar hassas bir noktada durduğunu net şekilde gösterdi. https://t.co/KdsUOlh5Xr

    @piri_aykut

    4 Dec 2025

    145 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 前端系统爆发安全漏洞: React : CVE-2025-55182 , 和 Next.js : CVE-2025-66478。 会触发在线服务的 RCE 漏洞。 会有什么影响呢? 可触发,及可以在后端服务执行恶意代码,窃取原以为安全留存的env(很大一部分密钥都

    @cevin_q

    4 Dec 2025

    328 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    2 Replies

    0 Quotes

  34. React Server Components just got hit with a serious vuln (CVE-2025-55182). Next.js too (CVE-2025-66478). If you’re on Next.js 15–16 → update ASAP: 15.0.5 / 15.1.9 / 15.2.6 / 15.3.6 / 15.4.8 / 15.5.7 / 16.0.7. Using RSC in another framework? Patch React to 19.0.1 / 19.1.2 /

    @samofolabi

    4 Dec 2025

    300 Impressions

    2 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. えっと…Next.jsに、**最大危険度(CVSS 10.0)の、大変な脆弱性(CVE-2025-66478)**が、見つかったみたいです…。 App Routerを使っているv15・v16系が対象で…勝手に操作されちゃうRCEのリスクが、あります…。 自社鯖の方

    @CCE7

    4 Dec 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. React2Shell (CVE-2025-55182/CVE-2025-66478) https://t.co/ej7EsLMQ0V

    @yousukezan

    4 Dec 2025

    2139 Impressions

    3 Retweets

    9 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  37. Hackers Exploit React and Next.js CVEs to Hijack Apps Meta and Vercel disclosed critical CVEs (CVE-2025-55182, CVE-2025-66478) affecting React and Next.js. Google Cloud recommends updating frameworks, deploying WAF rules, and patching dependencies immediately to prevent remote h

    @Secwiserapp

    4 Dec 2025

    427 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) are critical unauthenticated RCE vulnerabilities in the React Server Components (RSC) "Flight" protocol. Default configurations are vulnerable – a standard Next.js app created with create-next-app and built for production can

    @blackorbird

    4 Dec 2025

    5034 Impressions

    3 Retweets

    41 Likes

    13 Bookmarks

    2 Replies

    0 Quotes

  39. ⚠️⚠️ CVE-2025-55182(CVSS 10.0) && CVE-2025-66478(CVSS 10.0) : Catastrophic React Flaw allows Unauthenticated RCE on Next.js and React Server Components. 🔥PoC: https://t.co/NcbuTg1eG6 https://t.co/LCLJ2p45la 🔗FOFA Link: https://t.co/9uZoJWH49s 🎯8.7M Result

    @fofabot

    4 Dec 2025

    22940 Impressions

    53 Retweets

    189 Likes

    112 Bookmarks

    2 Replies

    3 Quotes

  40. Critical vulnerability in React Server Components (CVE-2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Can someone explain in simple terms what this vulnerability means and what developers should do?

    @iamvishalbrow

    4 Dec 2025

    1162 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  41. 🚨Alert🚨:Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution(CVE-2025-55182&CVE-2025-66478) 🔥PoC : https://t.co/RG8kg59GfU https://t.co/fg5Qdjrzy1 🧐Detail : https://t.co/MyU68wMNZ7 ----------------------------------------- CVE-2025-55

    @HunterMapping

    4 Dec 2025

    10905 Impressions

    31 Retweets

    119 Likes

    67 Bookmarks

    0 Replies

    0 Quotes

  42. A critical vulnerability in React Server Components (CVE-2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478) 🧐 https://t.co/ru2hI9jgKe

    @m0nle0z

    4 Dec 2025

    222 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  43. The exploitation of Next.js (CVE-2025-66478) is not possible unless you can control the serverManifest. Because of that, a Prototype Pollution primitive on the target is required in order to exploit this CVE. Even in ejpir’s PoC (https://t.co/X2ECG3FMvg), the PoC explicitly

    @carlos_crowsec

    4 Dec 2025

    7364 Impressions

    13 Retweets

    49 Likes

    31 Bookmarks

    4 Replies

    1 Quote

  44. CVE-2025-66478 Rejected reason https://t.co/YGPvF9ctBA

    @VulmonFeeds

    4 Dec 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Security Advisory: CVE-2025-66478 - Next.js https://t.co/Ml976nsxBU

    @ghostednews

    4 Dec 2025

    59 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  46. 🔸 Next.js / React セキュリティ情報 CVE-2025-66478 が公開されました。 Vibe コーディング勢も必ずチェックしておいた方がいい内容です。 以下のバージョン系は、要確認: ・Next.js 15.x ・Next.js 16.x ・Next.js 14.3.0-can

    @YoungsuPark6

    4 Dec 2025

    669 Impressions

    0 Retweets

    10 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  47. React Server Components (つまり Next.js も)で発見された認証不要で遠隔コード実行が可能になる非常に深刻な脆弱性(CVSS 10.0 つまり最高スコア)に React2Shell という名前が付いてサイトができた / “React2Shell (CVE-202

    @t_wada

    3 Dec 2025

    340028 Impressions

    332 Retweets

    903 Likes

    387 Bookmarks

    0 Replies

    39 Quotes

  48. I wonder if CVE-2025-55182 and CVE-2025-66478 affect @htmx_org

    @apr

    3 Dec 2025

    4552 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    2 Quotes

  49. 🚀 Next.js v15.5.7 がリリースされました。 📦 種別: patch ✨ 主な変更点: • CVE-2025-66478に関する詳細については、ブログ記事を参照してください。 #GitHub #Release #Next.js

    @darthnegi

    3 Dec 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚀 Next.js v15.4.8 がリリースされました。 📦 種別: patch ✨ 主な変更点: • CVE-2025-66478に関するセキュリティ修正 🔧 重要な修正: • CVE-2025-66478に関するセキュリティ修正 #GitHub #Release #Next.js

    @darthnegi

    3 Dec 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.