The web development ecosystem is facing a severe security challenge today. A critical pair of vulnerabilities – assigned CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) – has been publicly disclosed, exposing a massive number of applications to unauthenticated Remote Code Execution (RCE).

Discovered by independent security researcher Lachlan Davidson, these vulnerabilities fundamentally affect how React Server Components (RSC) handle data. The flaw resides in the "Flight" protocol mechanism within react-server packages, where unsafe deserialization allows attackers to craft malicious HTTP payloads. When processed, these payloads can trigger arbitrary code execution on the server – no authentication required. 

Why This Incident Matters

The severity of this disclosure cannot be overstated (CVSS 10.0), primarily due to the ease of exploitation and the breadth of the impact:

• Default Vulnerability: This is not an edge case. Standard Next.js applications (created via create-next-app) built for production are vulnerable by default without any code modifications.
• Zero-Auth RCE: Attackers do not need valid credentials. A single crafted request to a vulnerable endpoint is enough to compromise the server.
• Broad Ecosystem Impact: While Next.js is the primary target, any framework bundling the vulnerable React RSC implementation – including Waku, RedwoodJS, and others – is effectively exposed.
• Supply Chain Complexity: Because the vulnerability exists in nested dependencies like react-server-dom-webpack, static analysis tools may struggle to surface the risk if they don't deeply resolve dependency trees.

Immediate Recommended Actions

Organizations running React 19 or Next.js (versions 15, 16, or 14 Canary) should take the following steps immediately:

1. Upgrade Frameworks:

• Next.js: Upgrade to patch releases 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 immediately.
• React: Ensure react-server-dom-* packages resolve to versions 19.0.1, 19.1.2, or 19.2.1.

2. Verify Dependency Trees:

• After patching, check your package-lock.json or yarn.lock to ensure the nested dependencies have actually updated.

3. Downgrade if Necessary:

• If you are on a vulnerable Canary version of Next.js 14, downgrade to the latest stable Next.js 14.x release if a patch is not viable.

How Sweet Security Strengthens Your Defense

High-velocity vulnerabilities like this highlight the critical gap between static software inventory and reality. Static scanners will flag every repository containing next or react in the manifest, potentially drowning security teams in thousands of alerts without context.

Sweet Security provides Runtime Vulnerability Management, giving you the decisive advantage of execution-based visibility.

• Distinguish "Installed" from "Running": Sweet’s sensor identifies exactly which libraries are loaded into memory and executed by the CPU. We can tell you instantly which workloads are actually running the vulnerable react-server components, versus those where the package is merely present in the repo but unused in production.
• Runtime Behavior Detection: Because this RCE relies on insecure deserialization to execute shell commands or spawn processes, Sweet’s runtime monitoring detects the anomalous execution behaviors associated with the exploit. We catch the act of exploitation, not just the potential for it.
• Prioritize Real Risk: By correlating the vulnerable CVE with active runtime execution, we allow your team to fix the internet-facing, actively running instances first, ignoring the noise of dormant dev tools or unused dependencies.

Conclusion

CVE-2025-55182 and CVE-2025-66478 serve as a wake-up call for the modern web stack. When foundational frameworks like React and Next.js are compromised, the blast radius is immense. Addressing this threat requires more than just npm update; it requires the ability to see what is actually happening inside your cloud workloads.

With Sweet Security, you move beyond static lists and into active defense, validating whether you are truly exposed and stopping exploitation in real-time.

Ready to see this in action? Book a demo today to see your true runtime risk.