React & Next.js remote code execution: Mass exploitation underway

On December 3, 2025, security researchers disclosed CVE-2025-55182, a critical unauthenticated remote code execution vulnerability affecting React Server Components. With a maximum CVSS severity score of 10.0, this vulnerability enables attackers to execute arbitrary code on servers running Next.js and other frameworks that implement React Server Components. Active exploitation began within hours of public disclosure, with Wiz Research reporting that 39% of cloud environments contain vulnerable versions. CISA added the flaw to its Known Exploited Vulnerabilities catalog on December 5, 2025, confirming widespread attacks targeting default Next.js configurations.

What happened

Lachlan Davidson reported the vulnerability to Meta's Bug Bounty program on November 29, 2025. Meta's security team confirmed the flaw on November 30 and began coordinating with React developers and hosting providers. On December 3, 2025, React and Next.js released coordinated security updates to address CVE-2025-55182, an insecure deserialization vulnerability in the React Server Components "Flight" protocol. The vulnerability allows attackers to send specially crafted HTTP requests to Next.js applications that fail to properly validate data structures, enabling server-side code execution without authentication. Public proof-of-concept exploits became available on December 4, immediately triggering scanning and exploitation attempts. Amazon threat intelligence teams observed Chinese state-nexus groups launching attacks within hours of disclosure, while security vendors including Datadog, GreyNoise, and Coalition confirmed active exploitation targeting internet-facing Next.js applications and Kubernetes containers. Post-exploitation activities include cloud credential harvesting and cryptocurrency mining operations.

What data was taken

Attackers exploiting CVE-2025-55182 gain arbitrary code execution on the server, enabling them to access any data the application can reach. This includes application databases containing customer records, user credentials, financial transactions, and personally identifiable information. Compromised servers also expose environment variables containing API keys, database passwords, and cloud service credentials, which attackers use for lateral movement across cloud infrastructure. Security researchers documented credential harvesting campaigns targeting AWS, Azure, and Google Cloud Platform environments, with stolen credentials appearing on underground marketplaces within days of initial compromise. The vulnerability's impact extends beyond immediate data theft, as attackers establish persistent access through backdoors and web shells for future exploitation.

What was not affected

Next.js applications using the Pages Router instead of the App Router remain unaffected, as the vulnerability specifically targets React Server Components implementation. Static site builds and client-side-only React applications without server components are not vulnerable. Organizations that upgraded to patched versions immediately after disclosure and those running Next.js applications behind authentication layers with restricted internet access faced lower exploitation risk. Other React frameworks not implementing React Server Components, including traditional create-react-app projects, React Native applications, and frameworks using React exclusively for client-side rendering, are not impacted by this vulnerability.

How attacks like this unfold

Attackers begin by scanning for Next.js applications using automated tools that identify React Server Components implementations through HTTP response headers and framework fingerprinting. Once identified, they send malicious HTTP payloads exploiting the insecure deserialization flaw in the Flight protocol, which processes serialized data without proper validation. Successful exploitation grants immediate remote code execution with the privileges of the application server process, allowing attackers to enumerate the environment, extract credentials from configuration files and environment variables, and establish persistence through web shells or backdoor accounts. Attackers then move laterally into cloud infrastructure using stolen credentials, accessing databases, object storage, and adjacent services before exfiltrating sensitive data or deploying cryptominers. The entire attack chain operates silently, often evading traditional security monitoring focused on application-layer attacks rather than framework-level exploitation.

Why leaders should care

CVE-2025-55182 represents a critical infrastructure vulnerability affecting one of the most widely adopted modern web frameworks. Next.js powers applications across Fortune 500 companies, startups, and government agencies, creating an enormous attack surface. The vulnerability requires no authentication and exploits default configurations, meaning standard Next.js applications created with create-next-app are vulnerable without any developer error. The rapid weaponization demonstrates attackers' ability to capitalize on framework vulnerabilities before organizations can respond. Wiz Research finding vulnerable code in 39% of cloud environments indicates massive exposure, while confirmed exploitation by state-sponsored groups signals strategic targeting of high-value infrastructure. Organizations face regulatory investigations, class action litigation, and customer trust erosion if breached through this vulnerability, particularly when exploitation occurs against known vulnerabilities with available patches.

What to do now

1. Immediately patch all React and Next.js installations

   Organizations must immediately upgrade React to versions 19.0.1, 19.1.2, or 19.2.1, and Next.js to patched versions including 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5. Inventory all applications using React Server Components or Next.js App Router across development, staging, and production environments. Prioritize internet-facing applications for immediate patching, then address internal applications that could facilitate lateral movement if compromised. Validate successful patching through automated vulnerability scanning and manual verification of React and Next.js package versions.

2. Hunt for indicators of compromise and investigate anomalies

   Security teams must immediately search server logs, application logs, and network traffic for exploitation indicators from November 29, 2025 onwards. Look for unusual HTTP requests to Next.js endpoints, unexpected server processes or connections, suspicious file modifications in application directories, and evidence of credential access or environment variable enumeration. Review all privileged account activity and cloud service access logs for unauthorized API calls, data exports, or infrastructure modifications. Investigate any cryptocurrency mining activity, unexpected network connections to external IPs, or lateral movement attempts across cloud resources. Organizations discovering evidence of compromise should immediately contain affected systems and engage forensic investigators.

3. Implement defense-in-depth architecture and monitoring improvements

   Organizations must deploy Web Application Firewalls with rules specifically targeting CVE-2025-55182 exploitation attempts as an additional defense layer. Implement runtime application security monitoring capable of detecting unusual server-side execution patterns and data access anomalies. Restrict internet exposure of Next.js applications through network segmentation, requiring authentication before reaching application servers where possible. Establish automated dependency scanning in CI/CD pipelines to detect vulnerable React and Next.js versions before deployment. Rotate all credentials and API keys potentially accessible from compromised servers, and audit cloud IAM permissions to enforce least-privilege access. Deploy enhanced logging for all application servers and implement automated alerting for suspicious activity patterns including unusual process execution, network connections, or credential access.

Pressing questions

• Why was this vulnerability assigned a CVSS score of 10.0?

  The maximum severity rating reflects the vulnerability's characteristics: unauthenticated remote code execution affecting default configurations, requiring no user interaction, and granting complete system compromise. The flaw exploits a fundamental protocol implementation affecting widely deployed frameworks, creating enormous attack surface with straightforward exploitation requiring only crafted HTTP requests.

• How quickly did attackers begin exploiting this vulnerability?

  Public proof-of-concept exploits appeared within 24 hours of disclosure on December 3, 2025, with active scanning and exploitation attempts observed by December 4. Amazon threat intelligence reported Chinese state-nexus groups launching attacks within hours of the vulnerability's public release, demonstrating the rapid weaponization timeline for critical framework vulnerabilities.

• What is the relationship between CVE-2025-55182 and CVE-2025-66478?

  CVE-2025-66478 was initially assigned to track the vulnerability's impact on Next.js, but was later rejected as a duplicate of CVE-2025-55182 because both vulnerabilities share the same root cause in React Server Components. Organizations should reference CVE-2025-55182 as the canonical identifier for this vulnerability.

• What temporary mitigations exist if immediate patching is impossible?

  Organizations unable to patch immediately should deploy Web Application Firewall rules targeting exploitation attempts, restrict network access to Next.js applications behind VPN or authentication layers, and temporarily disable or isolate internet-facing Next.js deployments. However, these are stopgap measures, as the only effective long-term protection is upgrading to patched versions of React and Next.js.

Key takeaways

CVE-2025-55182 demonstrates how modern framework vulnerabilities create massive attack surface across cloud environments, with 39% of organizations potentially affected. The vulnerability exploits default configurations without requiring developer error, shifting security responsibility to rapid patch deployment and comprehensive dependency management. Active exploitation by state-sponsored groups within hours of disclosure emphasizes the compressed timeline between vulnerability disclosure and widespread attacks against critical infrastructure. Organizations must establish automated dependency scanning, maintain current framework versions, and implement defense-in-depth architectures that prevent single vulnerabilities from causing complete compromise. The incident reinforces the importance of continuous security code review and monitoring capabilities that detect exploitation attempts even when zero-day vulnerabilities emerge in trusted frameworks.