{"id":2516,"date":"2025-12-05T22:37:25","date_gmt":"2025-12-06T03:37:25","guid":{"rendered":"https:\/\/www.yorku.ca\/uit\/infosec\/?p=2516"},"modified":"2025-12-05T22:39:34","modified_gmt":"2025-12-06T03:39:34","slug":"remote-code-execution-vulnerability-in-react-and-next-js-frameworks","status":"publish","type":"post","link":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/","title":{"rendered":"Remote Code Execution Vulnerability in React and Next.js Frameworks"},"content":{"rendered":"\n<p>The React team released a security advisory regarding a critical vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system.<\/p>\n\n\n\n<p><strong>Severity level<\/strong><strong>:-<\/strong><\/p>\n\n\n\n<p>CVSS Score: 10.0 \/ Critical.<\/p>\n\n\n\n<p><strong>Description<\/strong>:- The vulnerability has been identified in React Server Components (also known as React.js or ReactJS) \u201cFlight\u201d protocol affecting React 19 ecosystems and frameworks that implement it, most notably Next.js. The issue arises from insecure deserialization that allows unauthenticated remote code execution (RCE). When a malicious actor crafts a specific HTTP request, the flaw in React's deserialization process can enable them to execute arbitrary code on an unpatched server.<\/p>\n\n\n\n<p><strong>Affected Versions<\/strong><strong>&nbsp;:-&nbsp; &nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0<\/li>\n\n\n\n<li>Next.js version 14.3.0-canary.77, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 and 16.0.7<\/li>\n<\/ul>\n\n\n\n<p><strong>Impact:-<\/strong><\/p>\n\n\n\n<p>An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Exploit code is publicly available and exploitation is actively occurring.<\/p>\n\n\n\n<p><strong>Resolution:-<\/strong><\/p>\n\n\n\n<p>Administrators should upgrade to the latest patched version in their release line.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Reference:-<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/react.dev\/blog\/2025\/12\/03\/critical-security-vulnerability-in-react-server-components\n\">https:\/\/react.dev\/blog\/2025\/12\/03\/critical-security-vulnerability-in-react-server-components<br><\/a><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-55182\n\">https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-55182<br><\/a><a href=\"https:\/\/www.wiz.io\/blog\/critical-vulnerability-in-react-cve-2025-55182\n\">https:\/\/www.wiz.io\/blog\/critical-vulnerability-in-react-cve-2025-55182<br><\/a><a href=\"https:\/\/www.cyber.gc.ca\/en\/alerts-advisories\/react-security-advisories-av25-804\">https:\/\/www.cyber.gc.ca\/en\/alerts-advisories\/react-security-advisories-av25-804<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>UIT Information Security<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The React team released a security advisory regarding a critical vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system. Severity level:- CVSS Score: 10.0 \/ Critical. Description:- The vulnerability has been identified in React Server Components (also known as React.js [&hellip;]<\/p>\n","protected":false},"author":1728,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","ngg_post_thumbnail":0,"footnotes":""},"categories":[3,4,5,31],"tags":[],"class_list":["post-2516","post","type-post","status-publish","format-standard","hentry","category-advisory","category-alerts","category-announcement","category-vulnerabilities"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security\" \/>\n<meta property=\"og:description\" content=\"The React team released a security advisory regarding a critical vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system. Severity level:- CVSS Score: 10.0 \/ Critical. Description:- The vulnerability has been identified in React Server Components (also known as React.js [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/\" \/>\n<meta property=\"og:site_name\" content=\"Information Security\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-06T03:37:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-06T03:39:34+00:00\" \/>\n<meta name=\"author\" content=\"jeanck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"jeanck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/\"},\"author\":{\"name\":\"jeanck\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/person\\\/6116eec00aabbc4446dcf54eb720b40d\"},\"headline\":\"Remote Code Execution Vulnerability in React and Next.js Frameworks\",\"datePublished\":\"2025-12-06T03:37:25+00:00\",\"dateModified\":\"2025-12-06T03:39:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/\"},\"wordCount\":225,\"publisher\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\"},\"articleSection\":[\"Advisories\",\"Alert\",\"Announcement\",\"Vulnerabilities\"],\"inLanguage\":\"en-CA\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/\",\"name\":\"Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#website\"},\"datePublished\":\"2025-12-06T03:37:25+00:00\",\"dateModified\":\"2025-12-06T03:39:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/#breadcrumb\"},\"inLanguage\":\"en-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/2025\\\/12\\\/05\\\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Remote Code Execution Vulnerability in React and Next.js Frameworks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#website\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\",\"name\":\"Information Security\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-CA\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#organization\",\"name\":\"Information Security\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-CA\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/wp-content\\\/uploads\\\/sites\\\/806\\\/2025\\\/05\\\/Image-4.png\",\"contentUrl\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/wp-content\\\/uploads\\\/sites\\\/806\\\/2025\\\/05\\\/Image-4.png\",\"width\":1024,\"height\":1024,\"caption\":\"Information Security\"},\"image\":{\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/#\\\/schema\\\/person\\\/6116eec00aabbc4446dcf54eb720b40d\",\"name\":\"jeanck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-CA\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g\",\"caption\":\"jeanck\"},\"url\":\"https:\\\/\\\/www.yorku.ca\\\/uit\\\/infosec\\\/author\\\/jeanck\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/","og_locale":"en_US","og_type":"article","og_title":"Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security","og_description":"The React team released a security advisory regarding a critical vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system. Severity level:- CVSS Score: 10.0 \/ Critical. Description:- The vulnerability has been identified in React Server Components (also known as React.js [&hellip;]","og_url":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/","og_site_name":"Information Security","article_published_time":"2025-12-06T03:37:25+00:00","article_modified_time":"2025-12-06T03:39:34+00:00","author":"jeanck","twitter_card":"summary_large_image","twitter_misc":{"Written by":"jeanck","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/#article","isPartOf":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/"},"author":{"name":"jeanck","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/person\/6116eec00aabbc4446dcf54eb720b40d"},"headline":"Remote Code Execution Vulnerability in React and Next.js Frameworks","datePublished":"2025-12-06T03:37:25+00:00","dateModified":"2025-12-06T03:39:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/"},"wordCount":225,"publisher":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization"},"articleSection":["Advisories","Alert","Announcement","Vulnerabilities"],"inLanguage":"en-CA"},{"@type":"WebPage","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/","url":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/","name":"Remote Code Execution Vulnerability in React and Next.js Frameworks - Information Security","isPartOf":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#website"},"datePublished":"2025-12-06T03:37:25+00:00","dateModified":"2025-12-06T03:39:34+00:00","breadcrumb":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/#breadcrumb"},"inLanguage":"en-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/2025\/12\/05\/remote-code-execution-vulnerability-in-react-and-next-js-frameworks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.yorku.ca\/uit\/infosec\/"},{"@type":"ListItem","position":2,"name":"Remote Code Execution Vulnerability in React and Next.js Frameworks"}]},{"@type":"WebSite","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#website","url":"https:\/\/www.yorku.ca\/uit\/infosec\/","name":"Information Security","description":"","publisher":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.yorku.ca\/uit\/infosec\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-CA"},{"@type":"Organization","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#organization","name":"Information Security","url":"https:\/\/www.yorku.ca\/uit\/infosec\/","logo":{"@type":"ImageObject","inLanguage":"en-CA","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/logo\/image\/","url":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-content\/uploads\/sites\/806\/2025\/05\/Image-4.png","contentUrl":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-content\/uploads\/sites\/806\/2025\/05\/Image-4.png","width":1024,"height":1024,"caption":"Information Security"},"image":{"@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.yorku.ca\/uit\/infosec\/#\/schema\/person\/6116eec00aabbc4446dcf54eb720b40d","name":"jeanck","image":{"@type":"ImageObject","inLanguage":"en-CA","@id":"https:\/\/secure.gravatar.com\/avatar\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5d7f0942cd8a4424bc982e90c842841d6108fab8348817ced005ffbfc0c8fe5c?s=96&d=mm&r=g","caption":"jeanck"},"url":"https:\/\/www.yorku.ca\/uit\/infosec\/author\/jeanck\/"}]}},"taxonomy_info":{"category":[{"value":3,"label":"Advisories"},{"value":4,"label":"Alert"},{"value":5,"label":"Announcement"},{"value":31,"label":"Vulnerabilities"}]},"featured_image_src_large":false,"author_info":{"display_name":"jeanck","author_link":"https:\/\/www.yorku.ca\/uit\/infosec\/author\/jeanck\/"},"comment_info":0,"category_info":[{"term_id":3,"name":"Advisories","slug":"advisory","term_group":0,"term_taxonomy_id":3,"taxonomy":"category","description":"","parent":0,"count":26,"filter":"raw","cat_ID":3,"category_count":26,"category_description":"","cat_name":"Advisories","category_nicename":"advisory","category_parent":0},{"term_id":4,"name":"Alert","slug":"alerts","term_group":0,"term_taxonomy_id":4,"taxonomy":"category","description":"","parent":0,"count":63,"filter":"raw","cat_ID":4,"category_count":63,"category_description":"","cat_name":"Alert","category_nicename":"alerts","category_parent":0},{"term_id":5,"name":"Announcement","slug":"announcement","term_group":0,"term_taxonomy_id":5,"taxonomy":"category","description":"","parent":0,"count":56,"filter":"raw","cat_ID":5,"category_count":56,"category_description":"","cat_name":"Announcement","category_nicename":"announcement","category_parent":0},{"term_id":31,"name":"Vulnerabilities","slug":"vulnerabilities","term_group":0,"term_taxonomy_id":31,"taxonomy":"category","description":"","parent":0,"count":15,"filter":"raw","cat_ID":31,"category_count":15,"category_description":"","cat_name":"Vulnerabilities","category_nicename":"vulnerabilities","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/users\/1728"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/comments?post=2516"}],"version-history":[{"count":2,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2516\/revisions"}],"predecessor-version":[{"id":2518,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/posts\/2516\/revisions\/2518"}],"wp:attachment":[{"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/media?parent=2516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/categories?post=2516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yorku.ca\/uit\/infosec\/wp-json\/wp\/v2\/tags?post=2516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}