CVE-2025-55182: Next.js Pre-Auth RCE CVSS 10.0 Flaw
CVSS 10.0 RCE, No Auth Required
CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components that earns its maximum CVSS 10.0 score honestly. Disclosed on December 3, 2025, it affects React 19.0.0 through 19.2.0 and every major framework built on top — Next.js 15.x and 16.x, React Router with RSC APIs, Expo, Redwood SDK, and Waku. A single crafted HTTP POST to any Server Function endpoint triggers prototype pollution that escalates to full code execution with server-side privileges. No credentials. No user interaction. No complex exploit chain.
The vulnerability was tracked as GHSA-9qr9-h5gf-34mp on the GitHub Advisory Database and classified under CWE-502: Deserialization of Untrusted Data. Multiple independent research teams — including lachlan2k, bytera, larskaare, and others — reported the issue simultaneously, suggesting it was discoverable through routine security review of the React flight protocol.
How the Exploit Works
React Server Components use a proprietary serialization format — the “React flight protocol” — to stream data between server and client. Server Functions (formerly “server actions”) expose endpoints that accept POST requests and deserialize the incoming payload to reconstruct JavaScript objects server-side. The vulnerability lives in that deserialization step.
An attacker sends a carefully structured JSON payload to any Server Function endpoint. During deserialization, the payload pollutes JavaScript’s Object.prototype — the root of every object’s inheritance chain. By injecting properties that reference native Node.js functions like child_process.execSync, the attacker escalates prototype pollution into direct operating system command execution with the privileges of the Node.js process.
The attack surface is breathtaking. Any publicly accessible Next.js application using the App Router with Server Functions is vulnerable by default. There is no configuration toggle to disable deserialization, no middleware hook that intercepts it before the vulnerable code path executes, and no Content Security Policy that prevents the server-side consequence. The three affected packages — react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack — cover every major bundler in production use.
Affected Versions Are Everywhere
The GitHub advisory lists a sprawling range of affected versions across both stable and canary releases of Next.js, reflecting how rapidly Vercel iterated the App Router and how many parallel release trains exist simultaneously:
| Release Line | Affected | Patched |
|---|---|---|
| Next.js 15.0.x | >= 14.3.0-canary.77 | 15.0.5 |
| Next.js 15.1.x | >= 15.1.0-canary.0 | 15.1.9 |
| Next.js 15.2.x | >= 15.2.0-canary.0 | 15.2.6 |
| Next.js 15.3.x | >= 15.3.0-canary.0 | 15.3.6 |
| Next.js 15.4.x | >= 15.4.0-canary.0 | 15.4.8 |
| Next.js 15.5.x | >= 15.5.0-canary.0 | 15.5.7 |
| Next.js 16.0.x | >= 16.0.0-canary.0 | 16.0.7 |
React itself requires upgrade to 19.0.1, 19.1.2, or 19.2.1 depending on the minor version in use. Organizations running canary builds from the 14.3 era should either downgrade to 14.x stable or patch to 14.3.0-canary.76. The React team patched the three server-side rendering packages in coordination with the Next.js releases.
Why This Hits Cloud Infrastructure Hard
Next.js is not a niche framework. It dominates the React deployment landscape for production web applications, particularly those hosted on Vercel, AWS Amplify, Cloudflare Pages, and containerized Node.js clusters. The App Router, introduced in Next.js 13 and promoted as the default routing paradigm, relies on Server Components and Server Functions as core architectural primitives. Any organization that adopted the App Router — which is most of them — inherited this vulnerability silently. We first flagged CVE-2025-55182 in our weekly roundup back in April; this deep dive covers what has since emerged about exploitation in the wild.
The cloud-specific implications compound rapidly. Production Next.js deployments typically run with environment variables containing database connection strings, API keys for payment processors, object storage credentials, and secrets for upstream microservices. A successful exploit grants access to all of them. In containerized environments, the Node.js process often runs with service account tokens mounted from the orchestrator, enabling lateral movement into Kubernetes clusters or ECS tasks — similar to the cloud key exfiltration pattern seen in the LiteLLM RCE chain earlier this year.
Serverless deployments on Vercel or AWS Lambda are not immune. The deserialization vulnerability executes within the function handler before any response is returned. An attacker can exfiltrate environment variables in the same request-response cycle and disappear without leaving a persistent artifact — making detection significantly harder than traditional webshell deployments.
Evidence of Active Exploitation
Within hours of the December 3 disclosure, multiple researchers published proof-of-concept exploits demonstrating reliable pre-auth RCE. Demonstrations included reading arbitrary files from the server filesystem, establishing persistent reverse shells, and dumping environment variables containing database credentials and API keys. The simplicity of the exploit — a single HTTP POST — meant that automated scanning and exploitation tools incorporated it almost immediately.
According to analysis by Cyber Security News, CVE-2025-55182 ranked among the ten most significant high-risk vulnerabilities of 2026, with the publication noting that “attack demonstrations showed the vulnerability enables reading arbitrary files, establishing persistent reverse shells, and accessing environment variables containing database credentials and API keys.” The exploit’s low barrier to entry — no authentication, no complex chain, single HTTP request — placed it in the highest tier of practical risk for any exposed Next.js deployment.
The vulnerability was not added to CISA’s Known Exploited Vulnerabilities catalog at the time of initial disclosure, though its CVSS 10.0 severity and published PoC code made widespread scanning inevitable. Organizations relying on KEV catalog monitoring as their primary vulnerability prioritization signal would have missed this entirely during the critical first weeks.
Immediate Remediation Steps
The remediation path is straightforward but demands urgency. Every organization running Next.js with the App Router should take the following actions immediately:
- Identify all Next.js deployments. Scan infrastructure inventories, container registries, and serverless platforms for any application using Next.js 14.x canary, 15.x, or 16.x with the App Router enabled.
- Upgrade React and Next.js. Apply the patched versions listed in the table above. At minimum, upgrade React to 19.0.1/19.1.2/19.2.1 and Next.js to the corresponding patched release for your minor version.
- Rotate all secrets. Assume any deployment that was publicly accessible between December 3, 2025 and the patch date has been compromised. Rotate database credentials, API keys, service account tokens, and any other secrets accessible via environment variables.
- Review access logs. Look for POST requests to Server Function endpoints with unusually large payloads, Content-Type headers containing
text/x-component(the React flight protocol MIME type), or response patterns consistent with command execution artifacts. - Deploy virtual patching. Where immediate upgrades are not feasible, deploy WAF rules to block or sanitize POST requests to Server Function endpoints that contain prototype pollution patterns (
__proto__,constructor.prototype) in the request body.
The Deeper Problem: Server-Side JavaScript Deserialization
CVE-2025-55182 is not an isolated incident. It is the latest manifestation of a well-known vulnerability class — deserialization of untrusted data (CWE-502) — applied to JavaScript’s prototype-based inheritance model. The pattern is identical to the Java deserialization disasters of the mid-2010s: a framework accepts structured data from untrusted sources, reconstructs objects without adequate validation, and the resulting type confusion enables code execution. For organizations still using vulnerability aggregators to track these patterns, this CVE should serve as a reminder that CWE-502 transcends language boundaries.
The React team’s decision to implement a custom serialization protocol for Server Components was architecturally sound — it enables efficient streaming of server-rendered UI. But the implementation failed to apply the fundamental principle that every byte of input arriving over HTTP is adversarial until proven otherwise. The flight protocol’s deserializer trusted the structure of incoming payloads implicitly, a design choice that contradicts decades of security engineering practice.
For cloud security teams, this is a wake-up call about the attack surface of modern JavaScript frameworks running server-side. The same rapid iteration that makes frameworks like Next.js productive also introduces vulnerability classes that traditional application security testing may not catch. Automated SAST tools rarely understand custom serialization formats. Dynamic testing may not exercise Server Function endpoints unless the test harness specifically targets them. The gap between “the framework handles serialization” and “the framework handles serialization safely” is where incidents like this originate.
References
- GHSA-9qr9-h5gf-34mp — Next.js is vulnerable to RCE in React flight protocol (GitHub Advisory Database)
- Top 10 High-Risk Vulnerabilities of 2026 Exploited in the Wild (Cyber Security News)
- CISA Known Exploited Vulnerabilities Catalog (CISA)
- 2026 Cloudflare Threat Report (Cloudflare)