"According to Wiz and fellow security firm Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol found in the React Server Components. Next.js has assigned the designation CVE-2025-66478 to track the vulnerability in its package. The vulnerability stems from unsafe deserialization, the coding process of converting strings, byte streams, and other "serialized" formats into objects or data structures in code. Hackers can exploit the insecure deserialization using payloads that execute malicious code on the server."
""When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly," Wiz explained. "This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code." The company added: In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server."
React versions 19.0.1, 19.1.2, and 19.2.1 include vulnerable code in Flight, the protocol used by React Server Components. The flaw is tracked as CVE-2025-55182 and a related Next.js designation CVE-2025-66478 tracks the package impact. The vulnerability arises from unsafe deserialization that converts serialized formats into objects without sufficient validation. Exploitable payloads can execute malicious server-side JavaScript, enabling full remote code execution. Exploitation in tests showed near 100% success and requires only a specially crafted unauthenticated HTTP request. Patched React releases enforce stricter validation and hardened deserialization. Administrators and developers should upgrade and scan dependencies and repositories.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]