On Dec. 4, 2025, Alibaba Cloud Security detected that Meta’s core React team and Vercel’s Next.js team jointly published an advisory disclosing two Critical security vulnerabilities: CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Under certain conditions, attackers can exploit these vulnerabilities to execute arbitrary code. At the same time, Alibaba Cloud Security has observed that well-known hacking toolkits have already released modules exploiting this vulnerability.

To avoid any impact on your business, Alibaba Cloud Security recommends that you promptly perform a security self-check, and if you are within the affected range, update and patch in a timely manner to prevent intrusion by external attackers.

Vulnerability Description

React Server Components (RSC) is a new component type introduced in React 19 and is widely used in frameworks such as Next.js for server-side rendering. In CVE-2025-55182, due to insufficient validation when parsing forms submitted from the client side, an attacker can craft malicious requests to invoke certain built-in modules, ultimately leading to unauthorized code execution. Since RSC is adopted by mainstream frameworks like Next.js (e.g., Next.js 15.x, 16.x versions use affected React component packages), they are also affected, with the corresponding CVE ID being CVE-2025-66478.

Affected Versions

For React component packages, the affected versions are:

react-server-dom-parcel 19.0, 19.1.0, 19.1.1, 19.2.0

react-server-dom-turbopack 19.0, 19.1.0, 19.1.1, 19.2.0

react-server-dom-webpack 19.0, 19.1.0, 19.1.1, 19.2.0

For Next.js, the affected versions are:

14.3.0-canary.77 <= Next < 15.0.5

15.1.0 <= Next < 15.1.9

15.2.0 <= Next < 15.2.6

15.3.0 <= Next < 15.3.6

15.4.0 <= Next < 15.4.8

15.5.0 <= Next < 15.5.7

16.0.0 <= Next < 16.0.7

Remediation Recommendations

Check if your applications use the affected React components and related frameworks (such as Next.js). If they do, it is strongly recommended to upgrade to a secure version. For Next.js framework users, for example, execute relevant commands to upgrade based on the version used:

npm install next@15.0.5 # for 15.0.x

npm install next@15.1.9 # for 15.1.x

npm install next@15.2.6 # for 15.2.x

npm install next@15.3.6 # for 15.3.x

npm install next@15.4.8 # for 15.4.x

npm install next@15.5.7 # for 15.5.x

npm install next@16.0.7 # for 16.0.x

If you are using Next.js 14.3.0-canary.77 or later canary versions, it is recommended to downgrade to a stable Next.js 14 version.

npm install next@14

Users of other frameworks can refer to https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components for relevant checks and upgrades.

Relevant Reference Links:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nextjs.org/blog/CVE-2025-66478

https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

https://avd.aliyun.com/detail?id=AVD-2025-66478

https://avd.aliyun.com/detail?id=AVD-2025-55182