Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a critical remote code execution vulnerability affecting applications that use the App Router, tracing the issue to the upstream React Server Components protocol as CVE-2025-55182 and the downstream Next.js impact as CVE-2025-66478. The flaw carries a CVSS 10.0 rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that no workaround exists. Affected releases include multiple 15.x and 16.x branches and 14.3.0-canary.77 and later canary builds, while 13.x, stable 14.x, Pages Router applications, and the Edge Runtime were reported as unaffected. Next.js issued patched releases, published the fix-react2shell-next npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to rotate secrets after patching.
The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: CVE-2025-55184, a high-severity denial-of-service flaw that can hang the server process through a crafted HTTP request, and CVE-2025-55183, a medium-severity source code exposure bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for CVE-2025-55184 was incomplete and was superseded by CVE-2025-67779, forcing some users to upgrade again. The affected range spans App Router deployments from 13.3 across several 14.x, 15.x, and 16.x release lines, and the vendor again said Pages Router applications are not affected and urged immediate upgrades to the latest patched versions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Next.js says initial DoS fix was incomplete and issues follow-up fix
Next.js reported that the initial fix for CVE-2025-55184 was incomplete and that a complete fix was later released as CVE-2025-67779, requiring some users to upgrade again. The company also said the earlier React2Shell patch remained effective and that no workaround was available.
Next.js discloses two additional App Router vulnerabilities
On December 11, Next.js disclosed downstream impact from two newly identified upstream React Server Components flaws: CVE-2025-55184, a high-severity denial-of-service issue, and CVE-2025-55183, a medium-severity source code exposure issue. Pages Router applications were stated to be unaffected.
Trend Micro reports widespread React2Shell exploitation and named campaigns
Trend Micro said CVE-2025-55182 was being exploited in the wild and that it had observed nearly 145 proof-of-concept exploits. The company identified campaigns including emerald and nuts delivering payloads such as Cobalt Strike via Cross C2, Nezha, FRP, Sliver, and Secret-Hunter, and published additional exploit-chain details.
Microsoft reports hundreds of React2Shell compromises across organizations
Microsoft said it observed exploitation of CVE-2025-55182 as early as December 5, 2025, with several hundred compromised machines across diverse organizations. The company described post-exploitation activity including Cobalt Strike, MeshAgent persistence, Cloudflare Tunnel abuse, credential theft, and malware such as VShell, EtherRAT, SNOWLIGHT, ShadowPAD, and XMRig.
Sysdig reports EtherRAT implant in React2Shell compromise
Sysdig said it recovered a novel Linux implant named EtherRAT on December 5 from a compromised Next.js application exploited via CVE-2025-55182. The report described a multi-stage attack chain using Ethereum smart contracts for C2 resolution and assessed tradecraft overlap with DPRK-linked Contagious Interview activity, though attribution remained unconfirmed.
Next.js sets secret-rotation guidance for exposed unpatched apps
Next.js advised that applications which were online and unpatched as of 2025-12-04 at 1:00 PM PT should rotate secrets after patching, reflecting potential exposure from the RCE issue.
Vercel deploys WAF protections and blocks vulnerable Next.js deployments
In response to CVE-2025-55184 and CVE-2025-55183, Vercel said it deployed protective WAF rules for hosted projects and prevented new deployments of vulnerable Next.js versions. The company stressed these measures were only interim mitigations and that users still needed to upgrade to patched releases.
Next.js releases patches and remediation tool for CVE-2025-66478
Patched releases were issued across multiple 15.x and 16.x branches, along with canary builds, and Next.js also released the npm remediation tool fix-react2shell-next to help users identify and upgrade affected installations.
Next.js publishes advisory for critical App Router RCE vulnerability
Next.js disclosed CVE-2025-66478, a critical CVSS 10.0 remote code execution flaw affecting App Router applications in vulnerable 14.3.0-canary, 15.x, and 16.x release lines. The company said there was no workaround and urged immediate upgrades.
Researcher responsibly discloses React Server Components RCE issue
Next.js credited Lachlan Davidson with responsibly disclosing a critical React Server Components protocol vulnerability that was tracked upstream as CVE-2025-55182 and downstream for Next.js as CVE-2025-66478.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components | Microsoft Security Blog
microsoft.com
Open sourceNext.js Security Update: December 11, 2025 | Next.js
nextjs.org
Open sourceCVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation | Trend Micro (US)
trendmicro.com
Open sourceEtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks | Sysdig
webflow.sysdig.com
Open sourceDetecting React2Shell: The maximum-severity RCE vulnerability affecting React Server Components and Next.js | Sysdig
webflow.sysdig.com
Open sourceSecurity Advisory: CVE-2025-66478 | Next.js
nextjs.org
Open sourceSecurity Bulletin: CVE-2025-55184 and CVE-2025-55183 | Vercel Knowledge Base
vercel.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
Mar 21, 2026
Next.js Patches App Router Flaws as Middleware Bypass PoCs Spread
Vercel has released a broad set of security fixes for **Next.js** and related **React Server Components**, addressing more than a dozen vulnerabilities affecting App Router deployments across versions 13.x through 16.x and React Server Components 19.x. The disclosures include denial of service, server-side request forgery, cross-site scripting, cache poisoning, and multiple middleware authorization bypass conditions. Among the most serious issues is `CVE-2026-23870` (`GHSA-8h8q-6873-q5fj`), a high-severity denial-of-service flaw in React Flight deserialization that can be triggered through crafted requests to App Router Server Function endpoints, causing excessive CPU consumption; fixes were issued in Next.js `15.5.16` and `16.2.5`. Vercel also disclosed `CVE-2026-44578`, a high-severity SSRF issue in self-hosted Node.js deployments via crafted WebSocket upgrade requests.
May 25, 2026
React Router Flaws Expose Servers to RCE, XSS, and DoS
Multiple vulnerabilities were disclosed in the widely used React Router `npm` package, including a reported remote code execution issue tracked as **CVE-2026-42211** that researchers said could allow unauthenticated attackers to gain shell access when chained with an existing prototype pollution weakness. Additional flaws include **CVE-2026-33245**, a client-side cross-site scripting bug in redirect handling for applications using unstable React Server Components APIs, plus **CVE-2026-34077** and **CVE-2026-42342**, two denial-of-service issues tied to serialization and manifest endpoint performance that can crash or degrade backend services. The XSS issue affects React Router versions `7.7.0` through `7.13.1` when redirects originate from untrusted sources and use `javascript:` targets; applications not using the unstable RSC APIs or running in standard Declarative Mode are not impacted. Maintainers patched **CVE-2026-33245** in React Router `7.13.2`, while broader mitigation for the full set of reported issues requires upgrading to React Router `7.15.0` or Remix `2.17.5`.
Jun 4, 2026