Highly Critical Vulnerabilities in React Server Components and Next.js

Highly critical vulnerabilities have been disclosed in the React and Next.js ecosystems. These vulnerabilities have been scored a perfect 10/10 and must be patched immediately. Exploitation can allow unauthenticated attackers to execute arbitrary code on affected servers.

• To protect web sites already using Cloudflare, ITS is adding a Cloudflare WAF rule to zones that do not already have it to block the exploit while web applications are patched to address the vulnerability.
• Units need to identify impacted sites, applications, and services, and apply patches as soon as possible.

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

For sites that are behind Cloudflare, ITS is using a Cloudflare WAF rule to block the exploit in zones, but units need to identify and apply patches to impacted systems as soon as possible to address the vulnerability. Vulnerable sites not behind Cloudflare do not have protections and need to be patched immediately or taken offline. Exploitation of these issues can allow unauthenticated attackers to execute arbitrary code on affected servers.

The vulnerability is actively exploited in the wild.

For vendor-provided web applications, check with the vendor to see if the product is impacted. For U-M applications, the following provides steps to check your applications:

Do you use server-side React with React Server Components (RSC)?

• If you use Next.js with the App Router, assume YES.
• If you use other RSC-enabled frameworks (RedwoodJS, Waku, etc.), assume YES.

Does your lockfile contain vulnerable package versions? Search package-lock.json, yarn.lock, etc., for the following:

• Vulnerable React Packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
• Vulnerable Versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0

Are you using an affected version of Next.js? Check for these versions (with App Router enabled):

• 14.3.0-canary.77 and later canary releases
• All 15.x versions prior to patch
• All 16.x versions prior to patch

If you maintain React / Next.js code or deploy your own builds, you must:

1. Patch React:
   1. Upgrade to the latest patched React 19.x release as published by the React maintainers (which includes fixes for CVE-2025-55182).
   2. Ensure any RSC-related packages (e.g. react-server-dom-*) are also updated.
2. Patch Next .js:
   1. Upgrade to the latest stable Next.js release that contains the fix for CVE-2025-66478.
   2. Redeploy your application after upgrading to ensure the patched runtime is in effect.
3. Redeploy & verify:
   1. Redeploy all affected applications after patching.
   2. Confirm deployments by:
      1. Checking build logs for the new versions.
      2. Running smoke tests / basic functional tests.
      3. Verifying that your CI/CD or SBOM tooling reflects patched versions.

If you are unsure whether your application is affected, assume it is and prioritize patching all React 19 / Next.js services, especially those accessible from the public internet.

Temporary Risk Reduction Options

If you need additional time to patch, we can help reduce exposure while you complete your updates. If you are currently behind the U-M Cloudflare service hosted by ITS, you have some protection, but you will need to patch or contact your vendor for mitigation steps.

You may open a support ticket or contact our operations team to request:

1. Placement behind Cloudflare (recommended):
   1. ITS can move your application behind Cloudflare.
   2. ITS will:
      1. Enable WAF rules to block known exploit patterns targeting these CVEs.
      2. Optionally restrict inbound traffic to specific IP ranges (e.g. your corporate IPs / VPN) while you patch.
2. Stricter inbound traffic controls (non-Cloudflare):
   1. Where supported, ITS will work with you to:
      1. Temporarily block or heavily rate-limit inbound traffic to vulnerable services.
      2. Limit access to internal networks or VPN-only.
   2. This is not a substitute for patching, but can reduce the attack surface while you test and patch your application. 

Important: These mitigations do not remove the vulnerability. You still must patch React / Next.js as soon as possible.

Critical vulnerabilities have been disclosed in the React and Next.js ecosystems:

• CVE-2025-55182: React.js / React Server Components (RSC). A maximum-severity pre-auth remote code execution vulnerability affecting React Server Components in React 19.x.
• CVE-2025-66478: Next.js frameworkA related critical vulnerability specifically impacting Next.js. This affects applications using React Server Components in Next.js. Exploitation of these issues can allow unauthenticated attackers to execute arbitrary code on affected servers.

• Cloudflare at U-M provides a critical security capability to protect university websites, web applications, and DNS (Domain Name System) servers from external attacks, particularly Distributed Denial of Service (DDoS) attacks, as well as attacks that attempt to compromise university websites and applications.
• ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Please contact ITS Information Assurance through the ITS Service Center.

CVE-2025-55182 Detail (NIST, 12/3/25)

CVE-2025-66478 Detail (NIST, 12/3/25)

Admins and defenders gird themselves against maximum-severity server vuln (ARS Technica, 12/3/25)

Cloudflare WAF proactively protects against React vulnerability (Cloudflare, 12/3/25)

Critical RSC Bugs in React and Next .js Allow Unauthenticated Remote Code Execution (Hacker News, 12/3/25)

Security Advisory: CVE-2025-66478 (Next.js, 12/3/25)

Admins and defenders gird themselves against maximum-severity server vuln (ARS Technica (12/3/25)