Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Critical vulnerability in React Server Components can lead to unauthenticated remote code execution (RCE), Patch Immediately!
Image
Veröffentlicht : 04/12/2025
- Last update: 04/12/2025
- Affected software:
→ React Server Components versions 19.0, 19.1.0, 19.1.1 and 19.2.0
→ Next.js- Type: Remote Code Execution
- CVE/CVSS
→ CVE-2025-55182: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2025-66478: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
React advisory - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Next.js advisory - https://nextjs.org/blog/CVE-2025-66478
Detection surface scanner - https://github.com/fatguru/CVE-2025-55182-scanner
Risks
In December 2025, React published an advisory regarding an unauthenticated remote code execution vulnerability affecting React Server Components, related packages, and downstream technology.
While this vulnerability is not actively exploited (cut-off date: 04 December 2025), it is highly likely that threat actors would attempt to weaponize it as apps are vulnerable even if they support but do not use React Server Components. The significant downstream impact of this vulnerability makes it attractive to threat actors since this technology is very common in numerous web applications.
This vulnerability has a high impact on confidentiality, integrity, and availability.
Description
CVE-2025-55182 is a flaw in the way React decodes payloads sent to React Server Function endpoints. An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.
The vulnerability is present in specific versions (19.0, 19.1.0, 19.1.1 and 19.2.0) as well as in three packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Note that even if an app does not implement any React Server Function endpoints, it may still be vulnerable as long as the app supports React Server Components. In other words, there is a significant downstream impact where an app is vulnerable if it uses a framework, bundler or bunder plugin that supports React Server Components.
Next.js introduced another CVE identifier – CVE-2025-66478 – for the same vulnerability in order to track downstream impacts.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
React indicates in their advisory that patching depends on the software used. Read the advisory to verify which version to upgrade – or in certain cases, to downgrade – to: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion. A Python tool was created to detect React Server Components endpoints that may be exposed to CVE-2025-55182: https://github.com/fatguru/CVE-2025-55182-scanner Please note that this tool was not tested by the CCB.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
Cyber Security News article - https://cybersecuritynews.com/scanner-tool-reactjs-and-next-js/
Vercel advisory - https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp