Risk:
| high |
Damage: |
|
Platform(s): |
Web Applications |
Advisory ID: |
|
Version: |
|
CVE: |
|
Published: |
|
Summary
ngCERT alerts on critical vulnerabilities tracked as CVE-2025-55182 in React Server Components and its duplicate CVE-2025-66478 in Next.js, with a severity score
of 10.0 on Nigeria cyberspace. These flaws stem from insecure deserialization in the React Server Components (RSC) "Flight" protocol that enables unauthenticated remote code execution (RCE). Particularly, the flaw dubbed "React2Shell", allows attackers to send specially crafted HTTP requests containing malicious RSC payloads to Server Actions or flight endpoints, resulting in arbitrary code execution on the server without authentication. Impacts include full server compromise, data theft, ransomware deployment, lateral movement, and persistent access. ngCERT strongly urges all organizations using affected versions of these applications to immediately install patched releases and scan for signs of exploitation.
Description & Consequence
The React Server Components "Flight" protocol serializes server-rendered component trees into a custom text-based format for streaming to the client. The vulnerability exists in the server-side deserialization logic, which unsafely evaluates object prototypes and properties from untrusted RSC payloads, allowing gadget-chain exploitation similar to classic Java deserialization attacks. An unauthenticated attacker exploits this by submitting a malicious payload to any endpoint that accepts Server Actions (e.g., POST requests with "text/x-component" content or RSC-formatted bodies), often via forms, API routes, or direct Flight requests. The server processes the payload, triggering prototype pollution or property injection that leads to arbitrary code execution in the Node.js process context. Public proof-of-concept exploits are already available, and active scanning/exploitation has been observed within hours of disclosure.
- Unauthenticated remote code execution on application servers, enabling full system compromise.
- Data theft, ransomware deployment, cryptocurrency mining, or backdoor implantation.
- Lateral movement within cloud or internal networks from compromised web tiers.
- Supply-chain risk amplification, as many SaaS and public-facing sites use Next.js/React 19.
Solution
ngCERT recommends that organisations and users should:
- Immediately upgrade to patched versions: React 19.0.1+, 19.1.2+, 19.2.1+ and Next.js 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 16.0.7+ (or latest stable).
- Temporarily disable Server Actions or block "text/x-component" content-type requests via WAF/CDN rules as an interim measure, if immediate upgrade is impossible.
- Deploy detection rules for anomalous RSC/Flight traffic and monitor for new processes, outbound connections, or known exploit patterns.
- Conduct forensic review of affected servers for indicators of compromise since December 3, 2025.
Reference
Revision
