All news with #next.js tag

React2Shell RCE Exploited, 77K+ IPs and 30+ Breaches

🔴 React2Shell (CVE-2025-55182) is an unauthenticated remote code execution flaw in React Server Components and frameworks like Next.js, disclosed on December 3, 2025. A public proof-of-concept on December 4 accelerated automated scanning and exploitation; Shadowserver found 77,664 vulnerable IPs (≈23,700 in the US), and Palo Alto reports more than 30 breached organizations. Observed attacks use PowerShell stages, AMSI bypass and Cobalt Strike; mitigation requires updating React, rebuilding and redeploying apps, and reviewing logs for post-exploitation indicators.

React2Shell RCE Exploits Observed in the Wild at Scale

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.

Critical React2Shell RCE in React.js and Next.js Servers

⚠️React.js and Next.js servers are vulnerable to a critical remote code execution flaw dubbed React2Shell (CVE-2025-55182), disclosed to Meta on 29 November 2025. The bug targets server-side React Server Function endpoints and default Next.js App Router setups, enabling unauthenticated attackers to execute arbitrary code with a single HTTP request. Researchers report near‑100% exploitability in default configurations and published proof‑of‑concepts; security teams should upgrade affected packages to the fixed versions immediately and verify PoC sources before testing.

China-nexus Rapid Exploitation of React2Shell CVE-2025-55182

🛡️ Amazon observed multiple China state-nexus groups rapidly exploiting CVE-2025-55182 (React2Shell), a critical unsafe deserialization flaw in React Server Components with a CVSS score of 10.0 that affects React 19.x and Next.js 15.x/16.x when using App Router. AWS deployed Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet v1.24+) and MadPot honeypots to detect and block attempts, but these protections are not substitutes for patching. Customers running self-managed React/Next.js applications must update immediately, deploy interim WAF rules, and review logs for indicators such as POST requests with next-action or rsc-action-id headers.

Critical RCE in React and Next.js Flight Protocol Disclosed

🚨 Researchers disclosed critical remote code execution vulnerabilities in the Flight protocol for React Server Components (CVE-2025-55182 and CVE-2025-66478). The flaw permits unauthenticated attackers to achieve deterministic RCE via insecure deserialization of malformed HTTP payloads, with near-100% reliability against default deployments. Vendors have issued patched releases; administrators should apply upgrades immediately. Palo Alto Networks Unit 42 published detection guidance and hunting queries to help identify exploitation and post-exploitation activity.

Critical React4Shell RSC Vulnerability CVE-2025-55182

🛡️ A critical remote code execution flaw, CVE-2025-55182 (React4Shell), was disclosed affecting React Server Components and multiple derivatives including Next.js, React Router RSC preview, and several bundler plugins. The bug arises from unsafe deserialization of Flight protocol payloads and permits unauthenticated HTTP requests to execute code on vulnerable servers. Immediate updating to the patched React and Next.js releases, plus deployment of WAF rules and access restrictions, is strongly recommended.

Critical React2Shell RCE Affects React and Next.js Servers

🚨 React and Next.js applications are affected by a maximum-severity deserialization vulnerability dubbed React2Shell, which enables unauthenticated remote code execution via the React Server Components (RSC) "Flight" protocol. Discovered by researcher Lachlan Davidson and reported on November 29, the flaw received a 10/10 severity rating and has been assigned CVE-2025-55182 for React (Next.js received CVE-2025-66478, later rejected by the NVD). Affected default packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, and researchers warn many deployments are exploitable without additional misconfiguration. Developers should apply the published patches and audit environments immediately.

Urgent: Patch React 19 and Next.js to Mitigate RCE

⚠️ Developers must immediately upgrade React 19 and affected frameworks such as Next.js after researchers at Wiz disclosed a critical deserialization vulnerability in the React Server Components (RSC) Flight protocol that can enable remote code execution. The flaw exists in default configurations and impacts React 19.0.0, 19.1.0, 19.1.1 and 19.2.0, while Next.js 15.x and 16.x App Router deployments received a related CVE. Upgrade to the latest vendor-recommended releases now and follow the React blog's guidance.

Google Cloud guidance on CVE-2025-55182 for React/Next.js

🔒 Meta and Vercel disclosed a critical remote code execution vulnerability in React Server Components (CVE-2025-55182) that also affected some Next.js releases. Google Cloud rolled out a preconfigured Cloud Armor WAF rule (cve-canary), is enforcing protections for Firebase Hosting, and recommends testing the rule in preview while enabling ALB request logging to consume telemetry. Customers should promptly update dependencies to React 19.2.1 and the patched Next.js releases and redeploy services to remove the vulnerability.

Critical RSC Deserialization Flaw in React and Next.js

🚨 A maximum-severity remote code execution vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0) allows unauthenticated attackers to execute arbitrary JavaScript by sending crafted payloads to Server Function endpoints. Affected npm packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in specific 19.x releases; fixes are available in 19.0.1, 19.1.2, and 19.2.1. The issue also impacts Next.js (CVE-2025-66478, CVSS 10.0) across multiple releases and has been patched in a series of 15.x and 16.x updates. Security firm Wiz reports roughly 39% of cloud environments host vulnerable instances; apply patches immediately.

Cloudflare WAF Blocks Critical React Server Components RCE

🛡️ Cloudflare has deployed new WAF protections to mitigate a high‑severity RCE in React Server Components (CVE-2025-55182). All customers whose React traffic is proxied through the Cloudflare WAF are automatically protected — the rules are included in both the Free Managed Ruleset and the standard Managed Ruleset and default to Block. Rule IDs: Managed Ruleset 33aa8a8a948b48b28d40450c5fb92fba and Free Ruleset 2b5d06e34a814a889bee9a0699702280; Cloudflare Workers are immune. Customers on paid plans should verify Managed Rules are enabled and update to React 19.2.1 and the recommended Next.js releases (16.0.7, 15.5.7, 15.4.8).