top of page
Search

This Is React and Next.js’ Log4j Moment: Patch Now Before the Window Closes

  • Writer: Kyber Tech
    Kyber Tech
  • Dec 5, 2025
  • 4 min read

Modern engineering moves fast. Frameworks like React and Next.js power the front doors of the digital economy, from marketing sites and customer portals to SaaS platforms and internal tools.


They make it easy for teams to ship features quickly. They also pull in a deep supply chain of packages, build tools, and server runtimes that most organizations never audit.


Two new vulnerabilities in that ecosystem just changed the risk equation in a big way.


CVE-2025-55182 and CVE-2025-66478: Unauthenticated RCE In Default Configurations


This week, critical flaws were disclosed in React Server Components (CVE-2025-55182) and in the Next.js implementation of the same protocol (CVE-2025-66478).


Both vulnerabilities allow unauthenticated remote code execution on the server by sending a single crafted HTTP request to the React Server Components “Flight” endpoint.


No authentication. No user interaction. No exotic setup. Just default, everyday configurations.


In other words, if your engineering teams use React Server Components or any modern Next.js App Router deployment, these issues sit squarely on the path your application exposes to the internet.


Both CVEs are rated CVSS 10 for a reason.


Why This Deserves Your Full Attention


The scale is massive.


Next.js is used in nearly seven out of ten cloud environments. React Server Components have quietly become a dependency inside multiple frameworks beyond React and Next.js themselves.


For many teams, this vulnerability exists even if they didn’t realize they were using RSC features at all.


Security researchers have confirmed that:


  • The exploit works with very high reliability

  • It hits default configurations

  • Proof-of-concept exploit code is already circulating

  • WAF rule updates have been released by major vendors

  • A large percentage of cloud environments contain vulnerable versions


This is the same pattern we saw in Log4j. The reach is enormous, the exploitability is trivial, and the vulnerability surfaced in a package almost everyone uses without questioning.


Right now, there’s no confirmed widespread in-the-wild exploitation. That is the good news. The bad news is that the window between PoC and active exploitation tends to be measured in days, not weeks.


You don’t wait for KEV to add something when the risk profile looks like this.


Why This Problem Hits So Hard


These vulnerabilities sit in the server runtime of RSC and the App Router. That means an attacker who gets in through this flaw isn’t landing in a harmless corner of your code.


They are landing inside the piece of your application that usually has:


  • Direct access to secrets and environment variables

  • Connectivity to your database

  • Access to internal APIs

  • Privileges inside your production container or compute runtime


RCE isn’t the end goal. It’s the beginning of a much bigger problem.


The Lesson For Leaders: Know What You Actually Run


This is one of those moments that exposes a larger truth in modern engineering:

Most organizations don’t actually know what frameworks or transitive dependencies they run in production.


Teams proudly say, “We don’t use React 19,” only to discover their framework quietly shipped RSC under the hood.


This is why SBOMs matter. This is why inventories matter. This is why security and engineering cannot afford to operate in silos anymore.


When the ecosystem moves fast, blind spots become liabilities.


What You Should Do Today


Here is the practical path forward that every CISO, CTO, and engineering leader can take right now:


1. Inventory Your Exposure


Don’t ask abstract questions. Ask specific ones:


  • Do we run Next.js App Router?

  • Do we run React Server Components anywhere?

  • Do any frameworks or plugins we use bundle RSC logic?


Use your SCA tools, Wiz, Snyk, or simple grep searches to identify affected packages.


2. Patch To The Fixed Versions


React: 19.0.1, 19.1.2, 19.2.1


Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 (or 14.3.0-canary.88 for canary users)


3. Treat WAF Signatures As Temporary


Yes, the cloud providers and WAF vendors already released protection rules. No, they are not the fix. They buy you time. That’s all.


4. Monitor The Endpoints Involved


Look for:


  • Requests to React Server Component endpoints

  • Suspicious deserialization activity

  • Unexpected Node child processes

  • Unusual outbound connections from app containers


5. Use This As A Maturity Checkpoint


Every org should ask:


  • Do we know what we actually deploy?

  • Can we patch quickly across dozens or hundreds of services?

  • Can security and engineering mobilize together without drama or bureaucracy?

  • Do we test our “patch now” muscle regularly?


This is one of those moments where speed matters more than polish.


This Is A Warning Shot For The Future of Web App Security


React Server Components, Server Actions, edge runtimes, fancy rendering pipelines, all of these innovations accelerate product development.


They also expand the attack surface in ways most organizations are not evaluating closely enough.


As complexity rises, so does fragility.


If Log4j taught us anything, it was this:


The world breaks when a widely used component fails silently in the background while everyone assumes someone else is watching.


We’re in that moment again, but now in the JavaScript and cloud-native ecosystem.


The right move is simple:


Patch now. Verify your exposure. Tighten your inventories. And treat this as a drill for the next one, because it won’t be long before we see another.

bottom of page