{"id":15259,"date":"2025-12-04T00:30:15","date_gmt":"2025-12-04T00:30:15","guid":{"rendered":"https:\/\/newestek.com\/?p=15259"},"modified":"2025-12-04T00:30:15","modified_gmt":"2025-12-04T00:30:15","slug":"developers-urged-to-immediately-upgrade-react-next-js","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15259","title":{"rendered":"Developers urged to immediately upgrade React, Next.js"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Developers using the React 19 library<\/a> for building application interfaces are urged to immediately upgrade to the latest version because of a critical vulnerability that can be easily exploited by an attacker to remotely run their own code.<\/p>\n

Researchers at Wiz said Wednesday<\/a> that a vulnerability in the React Server Components (RSC) Flight protocol affects the React 19 ecosystem, as well as frameworks that implement it. In particular, that means Next.js, a popular full stack development framework built on top of React, which received a separate CVE.\u00a0<\/p>\n

RSC Flight protocol powers communication between the client and server for React Server Components, sending serialized component trees over the wire from the server to the client.<\/p>\n

\u201cThe vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk,\u201d says the warning. \u201cDue to the high severity and the ease of exploitation, immediate patching is required,\u201d\u00a0<\/p>\n

\u201cOur exploitation tests show that a standard Next.js application created via\u00a0create-next-app<\/em>\u00a0and built for production is vulnerable without any specific code modifications by the developer,\u201d Wiz also\u00a0warns.<\/p>\n

The problem in React\u2019s server package, designated CVE-2025-55182<\/a>, is a logical deserialization vulnerability allowing the server to processes RSC payloads in an unsafe way.\u00a0When a server receives a specially crafted, malformed payload, say Wiz researchers, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.<\/p>\n

\u201cIn simple terms,\u201d Wiz said in response to questions, \u201cthe server takes input from a user, trusts it too much, and processes it into code-like objects which attackers can exploit to run commands or leak sensitive information.\u201d<\/p>\n

Affected are React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The fix is to upgrade to the latest version of React.<\/p>\n

While the vulnerability affects all development frameworks using vulnerable versions of React, the problem in Next.js is specifically identified as CVE-2025-66478<\/a>.<\/p>\n

Affected are Next.js 15.x and 16.x using the App Router. Again, the fix is to upgrade to the latest version of Next.js.<\/p>\n

React\u2019s blog provides detailed upgrade instructions<\/a> for both React and Next.js.<\/p>\n

\u2018Serious vulnerability\u2019<\/h2>\n

\u201cThe configuration needed for these vulnerabilities to function is extremely common,\u201d Wiz said in response to questions, \u201cand disabling the functionality needed to block them is very rare. In fact, we failed to find any such case.\u201d<\/p>\n

Wiz says 39% of cloud environments are currently using Next.js and other web frameworks based on React.\u00a0<\/p>\n

Johannes Ullrich<\/a>, dean of research at the SANS Institute, told InfoWorld <\/em>that RSC is widely used, particularly when the Next.js framework, which implements RSC by default, is employed.<\/p>\n

\u201cThis is a very serious vulnerability,\u201d he said in an email. \u201cI expect public exploits to surface within a day or so, and applications must be patched quickly. Some web application firewall vendors, such as Cloudflare, have already implemented rules to protect applications from potential exploits. But even web applications protected by these systems should be patched, in case attackers find ways to bypass these protection mechanisms.\u201d<\/p>\n

To exploit the React vulnerability, all a threat actor would need to do is send a specially crafted HTTP request to the server endpoint. For security reasons, Wiz researchers didn\u2019t detail how this could be done. But, they said, in similar vulnerabilities, attackers leverage remote code execution on servers to download and execute sophisticated trojans on the server, usually a known C2 framework like sliver,<\/em> but in some cases, a more custom payload. \u201cThe main point,\u201d the researchers said, \u201cis that with an RCE like this, an attacker can practically do anything.\u201d<\/p>\n

CISOs and developers need to treat these two vulnerabilities as \u201cmore than critical,\u201d said Tanya Janca<\/a>, a Canadian-based secure coding trainer. In fact, she said in an email, they should be treated in the same way that infosec pros treated the Log4j vulnerability<\/a>, and scour all applications. \u201cThere could not be a more serious security flaw in a web application than this,\u201d she said, \u201ceven if it is not known to be exploited in the wild yet.\u201d<\/p>\n

Advice for CSOs, developers<\/h2>\n

Janca said developers should:<\/p>\n