Critical RCE Vulnerabilities in React and Next.js

https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

77•gonepivoting•55m ago

Comments

gonepivoting•30m ago

Just to simplify this - our exploitation tests so far have shown that a standard Next.js application created via create-next-app and built for production is vulnerable to CVE-2025-66478 without any specific code modifications by the developer - so this is essentially exploitable out-of-the-box.

tinco•29m ago

Unsafe deserialization is a very 2010 Ruby on Rails sort of vulnerability. It is strangely interesting that such a vulnerability was introduced so late in the lifetime of these frameworks. It must be a very sneaky vulnerability given how cautious we have become around deserialization since then.

LunaSea•20m ago

I'm willing to bet that this is linked to the magic __proto__ object namespace in JavaScript

Tomuus•16m ago

The React Server Components wire format (Flight) is relatively novel and very new (it has existed in React stable for just a year). This is not a simple JSON parsing bug.

skilled•28m ago

Wow, I am at a loss for words how serious this is. Looking forward to a more technical write up.

This might cause quite a lot of chaos and leaked code / credentials over the next couple of weeks.

mmsc•28m ago

These wiz.io blog posts should be banned from HN; AFAICT, they're AI generated. Here's the original post with the details: https://react.dev/blog/2025/12/03/critical-security-vulnerab... - the vulnerability was not found by a Wiz employee at all, and the Wiz article (unlike the react.dev article) does not provide any meaningful technical information.

The important part to know:

- Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

- The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack

- Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

jfindper•12m ago

>AFAICT, they're AI generated.

What is the "tell"? I'm not saying they are or aren't, but... people say this about literally everything now and it's typically some flimsy reasoning like "they used a bullet point". I don't see anything in particular that makes me think ai over a standard template some junior fills out.

>the vulnerability was not found by a Wiz employee at all

I've re-read the Wiz article a few times. Maybe I'm just dumb, but where did Wiz claim to have found this vulnerability?

galnagli•11m ago

Hey mmsc, first of all - the blogs are not AI Generated!

Second of all, the blog did add more information

"In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks. "

In the end - if it helped spreading the news about this risk so teams can fix them faster, then this is our end-goal with these blog posts : )

internetter•8m ago

There is some value:

> The vulnerability exists in the default configuration of affected applications

Can be inferred from the react blog but isn't really explicit

> According to Wiz data, 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478.

Numbers!

gonepivoting•7m ago

Hey, researcher from Wiz here - we definitely didn't discover these vulns and all the credit goes to Lachlan Davidson. We have been investigating these vulns throughout the day and decided not to disclose the full extent of our conclusions or release a working exploit until more people get a chance to patch this (and as I mentioned in another comment, exploitation works out-of-the-box so you definitely should patch ASAP).

bri3d•15m ago

Here's a patch diff:

https://github.com/vercel/next.js/compare/v15.0.4...v15.0.5

It looks like the fix is checking hasOwnProperty, so it's almost certainly an issue with prototype chain pollution.

jimmyl02•6m ago

It seems like this might be one of the biggest vulnerabilities in recent times...

The default react / nextjs configurations being vulnerable to RCE is pretty insane. I think platform level protections from Vercel / Cloudflare are very much showing their utility now!

AI Safety Index Winter 2025 Edition

Can AI keep particle accelerators in line?

Show HN: ApiRealTest Beta – Test APIs Through Real User Scenarios

Ams NanEyeC Integrated Camera Module CMOS Image Sensors

Google Cloud's Managed Cross-Cloud Network with AWS

Claude for Nonprofits \ Anthropic

What is Bending Spoons? Everything to know about Eventbrite's acquirer

JWST Discovers a Milky Way-Like Spiral Galaxy Where It Shouldn't Exist

How to measure the accuracy of forecasts (2016)

Show HN: Elements as Linear Combinations

Show HN: Synthome – TypeScript SDK for building composable AI media pipelines

Neo-Luddism

Higher Education and AI: Some Musings

Trump calls Somali immigrants 'garbage' as US reportedly targets Minnesota

Vulkan SDK now ships with SDL3

Flint Artifacts and Roman Altar Fragment Found Beneath Houses of Parliament

Zillow Removes Climate Risk Scores

Curlie web directory download – 2.9M editor approved websites for your AI

Django 6.0 Released

AI infrastructure is being built on a mountain of new DEBT

Extending yeast lifespan boosts biosynthetic output of valuable compounds

Show HN: Aim-Style Instant Messaging in VSCode

Sugars, 'Gum,' Stardust Found in NASA's Asteroid Bennu Samples

Instant server hot-reload across the Wasm boundary

Show HN: ToolPlex Desktop – MCP marketplace and AI workflow builder

Ask HN: Is the absence of affect the real barrier to AGI and alignment?

The War for Seattle [video]

China will eventually open its borders to mass immigration

Is Watching Video Bad for Children's Skills?

OpenAI is facing every startup's VC question: What if Google copies you?