Unpacking CVE-2025-55182: The Critical RCE Flaw in Next.js

Security Team
December 09, 2025
CVE-2025-55182 Next.js RCE Critical
Unpacking CVE-2025-55182: The Critical RCE Flaw in Next.js

Urgent Security Alert: A critical Remote Code Execution (RCE) vulnerability has been discovered in Next.js, one of the world's most popular React frameworks. Assigned CVE-2025-55182, this flaw has received a maximum CVSS score of 10.0.

What is the Vulnerability?

The issue lies within the React Server Components (RSC) "Flight" protocol used by the Next.js App Router. It stems from an insecure deserialization flaw where the server processes incoming RSC payloads without proper validation.

How it Works

Attackers can send a specially crafted HTTP request to a vulnerable Next.js server. Because the server fails to validate the structure of this data, it allows the attacker to manipulate server-side logic. This can lead to the execution of arbitrary code with the same privileges as the Next.js process.

Key details:

  • No Authentication Required: The attacker does not need to be logged in.
  • Default Configurations Affected: Applications created with create-next-app are vulnerable out of the box.
  • High Reliability: Exploits are reported to be near-100% reliable.

Affected Versions

The vulnerability impacts Next.js applications using the App Router in the following versions:

  • Next.js 15.x
  • Next.js 16.x
  • Next.js 14.3.0-canary.77 and later canary releases

Note: Next.js 13.x, Next.js 14.x stable, and Pages Router applications are reportedly NOT affected.

Immediate Remediation

If you are using an affected version, you must upgrade immediately to a hardened release. The Next.js team has released patches in the following versions:

  • 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
  • 16.0.7

To upgrade, run the following command in your project directory:

npm install next@latest react@latest react-dom@latest

Detection and Prevention

Apart from patching, security teams should look for abnormal HTTP requests targeting RSC endpoints. Signatures often involve malformed JSON payloads in the request body.

Use our Website Security Scanner to check for common misconfigurations, though patching is the only true fix for this specific CVE.

Conclusion

This is a wake-up call for the ecosystem. Deserialization vulnerabilities remain a top threat. Always ensure your frameworks are updated to the latest security patches.

Security Toolkit

Providing professional cybersecurity tools for ethical hackers and security researchers.

Back to Blog