A Must-Read for Teams Using React and NextJS: Summary of Critical Security Vulnerabilities and Patch Guide (CVE-2025-55182, 66478) Post Thumbnail

A Must-Read for Teams Using React and NextJS: Summary of Critical Security Vulnerabilities and Patch Guide (CVE-2025-55182, 66478)

5 min read
By M.J. Kang · 2025-12-07
A critical CVSS 10 vulnerability has been disclosed in the React and Next.js frameworks. This article explains what the vulnerability is, how to check whether your service is affected, and how to safely apply the necessary patches.

Q1. What are the React/NextJS vulnerabilities (CVE-2025-55182 / CVE-2025-66478)?

A remote code execution (RCE) vulnerability was discovered in React Server Components (RSC)–related packages that allows unauthenticated access. Since these React packages are used internally within NextJS, NextJS projects may also be affected.


Q2. How can I check whether my NextJS project is using a vulnerable version?

You can run npx next --version or npm ls react-server-dom-* to check the NextJS version and whether any RSC-related packages are installed.


Q3. Which versions of NextJS are vulnerable?

Next.js 15.x, 16.x, and Canary releases after 14.3.0-canary.77 are affected by this vulnerability.


Q4. Which version should I update to in order to fix the issue?

NextJS addressed these issues in versions such as 15.5.7 and 16.0.7. Running npm install next@latest is the recommended way to update to the latest secure version.


Q5. What if I cannot apply the patch immediately?

You can mitigate risk temporarily by blocking RSC-related endpoints at the network, middleware, or WAF level, and by strengthening request validation.


You must review your React and NextJS versions and apply the available patches

Summary

A critical unauthenticated remote code execution (RCE) vulnerability was disclosed in core React packages.
Because these packages are used internally by the widely adopted NextJS framework, NextJS-based services must review their versions and apply patches immediately.

Key actions:

  1. Run npx next --version and npm ls react-server-dom-* to check your NextJS and RSC-related package versions.
  2. If your environment is affected, update to patch releases like Next 16.0.7 / 15.5.7, perform local build tests, and deploy.
  3. If immediate patching is difficult, restrict RSC-related endpoints at the network/WAF/middleware level as a temporary measure.

NextJS — Versions Affected

The following NextJS versions are impacted by the vulnerability:

  • Next.js 15.x

  • Next.js 16.x

  • Next.js 14.3.0-canary.77 and later Canary releases

You can check your version via package.json or with this command:

npx next --version

React — Affected Versions and Related Packages

The RSC-related vulnerability applies to the following React versions:

  • React 19.0, 19.1.0, 19.1.1, 19.2.0

The related packages include:

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack

Check whether your project is using any of these:

npm ls react-server-dom-parcel
npm ls react-server-dom-webpack
npm ls react-server-dom-turbopack

To understand how the package was included (dependency chain):

npm why react-server-dom-parcel
npm why react-server-dom-webpack
npm why react-server-dom-turbopack

NextJS Versions Containing Security Fixes

NextJS has released patches in the following versions:

Stable

  • 15.0.5

  • 15.1.9

  • 15.2.6

  • 15.3.6

  • 15.4.8

  • 15.5.7

  • 16.0.7

Canary

  • 15.6.0-canary.58 (15.x Canary line)

  • 16.1.0-canary.12 (16.x Canary line)

If your running version is older than these versions, updating to one of the patched releases is strongly recommended.


How to Update to the Latest Version (Fix)

1. Check the latest version

npm view next version

As of December 7, 2025, next@16.0.7 is the latest secure release addressing the vulnerability.

Before updating, remove node_modules and package-lock.json to avoid dependency conflicts:

rm -rf node_modules package-lock.json

Windows PowerShell:

Remove-Item -Recurse -Force node_modules
Remove-Item -Force package-lock.json

3. Update NextJS

npm install next@latest

If your project uses packages that require specific React versions, ensure compatibility.

For example, a project using next-intl may update dependencies together:

npm install next@latest react@18 react-dom@18 next-intl@latest @ant-design/nextjs-registry@latest

4. Verify installed versions

npm list next

Also check react, react-dom, next-intl, etc.

5. Build & run verification

npm run build

Verify:

  • Local build succeeds

  • All major pages & API routes return correctly

  • Any RSC-related rendering or data fetching works normally


Additional Considerations During Patch

ESLint configuration changes (Next 16)

Next 16 removed the ability to configure ESLint from next.config.ts.
You must delete the old configuration block:

Before:

const nextConfig: NextConfig = {
  output: 'standalone',
  productionBrowserSourceMaps: false,
  reactStrictMode: false,
  eslint: {
    ignoreDuringBuilds: true,
  },
  compiler: {
    styledComponents: {
      ssr: true,
      displayName: !isProd,
      pure: true
    },
    ...(isProd && {
      removeConsole: {
        exclude: ["error", "warn"],
      },
    }),
  },

After (removed):

const nextConfig: NextConfig = {
  output: 'standalone',
  productionBrowserSourceMaps: false,
  reactStrictMode: false,
  // --------------------------------- delete block --
  // eslint: {
  //   ignoreDuringBuilds: true,
  // },
  // ---------------------------------------------------
  compiler: {
    styledComponents: {
      ssr: true,
      displayName: !isProd,
      pure: true
    },
    ...(isProd && {
      removeConsole: {
        exclude: ["error", "warn"],
      },
    }),
  },

ESLint must now be configured via .eslintrc and/or CI pipelines.


Glossary

CVE (Common Vulnerabilities and Exposures)

A unique global identifier assigned to security vulnerabilities, e.g. CVE-2025-55182.

CVE IDs allow developers and security teams to refer to vulnerabilities consistently.

CVSS (Common Vulnerability Scoring System)

A standardized scoring system (0–10) that evaluates how dangerous a vulnerability is.

A score of 10 means the highest severity.

Security teams use CVSS to determine patch priority.

Conclusion

This vulnerability is extremely severe because unauthenticated RCE is possible even in default React Server Components (RSC) and NextJS configurations.
Following public disclosure, proof-of-concept exploit code spread quickly, increasing real-world attack risk.

Two things are strongly recommended:

  1. Immediately check Next/React versions and the presence of react-server-dom-* packages.
  2. Update to patched versions as soon as possible. If patching is delayed, implement temporary WAF/middleware restrictions to block RSC-related routes.

For large or production systems, response speed directly affects service reliability and incident cost, so acting quickly is important.


References

[1] NextJS Security Advisory
https://nextjs.org/blog/CVE-2025-66478

[2] React Official Blog — RSC Vulnerability Announcement
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

[3] PoC Code
https://github.com/whiteov3rflow/CVE-2025-55182-poc

# React security vulnerability# NextJS RCE patch# CVE-2025-55182# CVE-2025-66478# React Server Components vulnerability# NextJS security update# NextJS 16.0.7 security fix# React critical vulnerability# How to update NextJS safely

Further reading

Keeping your server costs under control? A quick comparison of AWS S3 vs. CloudFront speed and pricing for scalable infrastructure.

Continue reading
M.J. Kang's profile image
M.J. Kang

I help IT startups achieve sustainable growth. My goal is to give more companies the gift of time — and I’ll keep sharing insights that can truly help you along the way.