Critical Vulnerabilities in React Server Components and Next...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
• Blog Title: Critical Vulnerabilities in React Server Components and Next.js
• Suggested Section: pentesting-web/deserialization or pentesting-web/pentesting-web-methodology (subsection: "Insecure Deserialization in React Server Components (Flight) and Next.js App Router")

🎯 Content Summary

This post analyzes critical remote code execution (RCE) vulnerabilities in the React Server Components (RSC) ecosystem, tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). Both are rated CVSS 10.0. CVE-2025-66478 has since been formally rejected as a duplicate of CVE-2025-55182, but remains useful as a reference in Next.js advisories.

How React Server Components and Flight Are Involved
R...

🔧 Technical Details

Abusing Insecure Flight Deserialization in React Server Components for RCE
The key trick is to treat the React Server Components Flight protocol as an attack surface: any HTTP endpoint that deserializes RSC payloads with vulnerable react-server / react-server-dom-* code can be driven into arbitrary server-side JavaScript execution. Instead of supplying benign serialized component state, an attacker sends a specially crafted (but structurally valid enough) Flight payload in a POST request. Because the server’s Flight deserializer does not sufficiently validate which objects and operations can be reconstructed from this data, attacker-controlled fields end up steering server-side control flow. In any stack where React 19 RSC is enabled, the exploitation pattern is: (1) identify the RSC/React Server Function endpoint, (2) send crafted Flight messages, (3) cause the RSC runtime to materialize components or logic paths that exec...

🤖 Agent Actions

Summary:

• Added a dedicated “React Server Components Flight deserialization (React 19 / Next.js CVE-2025-55182)” section to the main deserialization guide, explaining the attack surface, exploitation workflow, and high-reliability nature of the Flight logic flaw affecting React 19 and App Router defaults.
• Documented the Unit 42 XQL hunting queries (plus additional telemetry heuristics) and the patched React/Next.js versions so pentesters can simulate/detect post-exploitation behavior and validate mitigations across other RSC-enabled frameworks.
• Updated the file-wide references list with the Unit 42 blog, the official React advisory, and the Next.js advisory to cite the new content.

Tests: Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/

Content Categories: Based on the analysis, this content was categorized under "pentesting-web/deserialization or pentesting-web/pentesting-web-methodology (subsection: "Insecure Deserialization in React Server Components (Flight) and Next.js App Router")".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0