Act, Don't React

By GAYINT Staff

Ho ho holy shit, happy holidays! It seems we were gifted exactly what we asked for this holiday season... a perfect 10 pre-auth RCE in React, CVE-2025-55182, with the downstream Next.js also being affected (CVE-2025-66478).

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The patch to the vuln seems to be here.

The patch appears to do a few things:

Adds hasOwnProperty() checks to ensure polluted properties aren't accessed in places like requireModule()
Ensures backingEntry in getChunk() only accepts strings (rather than anything)
Places the resolveField() function within a try/catch block. If an error occurs, it is caught instead of being thrown directly, and then passed to busboyStream.destroy(). This ensures that the stream is terminated in a controlled manner, preventing further processing of the request and managing errors in a safer way.

So... do you have to freak out?

Well, only if you run:

React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages:
- react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack

Next.js versions ≥14.3.0-canary.77, ≥15, or ≥16

If so, you can find React's recommended update instructions here (including affected downstream applications like next.js)

Good luck parsing through your inventories.

kid playing with a demon core like a ball and cup toy but the face is catte and they are wearing a santa hat

Updated: 03 December 2025