Skip to main content

CVE-2025-55182 and CVE-2025-66478 - React and Next js Remote Code Execution

This Playbook is part of the Cortex Response And Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

CVE-2025-55182 and CVE-2025-66478 - React and Next.js Remote Code Execution

Vulnerability Overview#

  • Vulnerability Name: Insecure Deserialization in React Server Components (RSC) "Flight" Protocol (Also referred to as React2Shell)
  • CVE ID: CVE-2025-55182 (Primary React RCE) and CVE-2025-66478 (Next.js RCE, affecting downstream implementations).
  • CVSS Score: 10 (Critical)

An unauthenticated Remote Code Execution (RCE) vulnerability exists in the core packages used by React Server Components (RSC), which are primarily exposed via the Next.js App Router. The flaw is an insecure deserialization issue in the RSC "Flight" protocol that allows an attacker to execute arbitrary code on the server by sending a single, crafted HTTP request. The vulnerability is present in default configurations of affected applications. Source: Unit42 - Palo Alto Networks

Mitigation and Recommendations#

  • Apply Patch
  • Restrict Access to the vulnerable serves
  • Monitor for IoCs and suspicious traffic

Conclusion#

CVE‑2025‑55182 is a critical, highly reliable, and unauthenticated RCE vulnerability in the modern React ecosystem. Due to its remote exploitability without user interaction or authentication, immediate patching is required to prevent server compromise.

View official CVE details on NIST

Vulnerable Versions#

React: Versions 19.0, 19.1, and 19.2 Next.js: Versions 15.x and 16.x (App Router), as well as Canary builds starting from 14.3.0 Other frameworks: Any library bundling the react-server implementation, including React Router, Waku, RedwoodSDK, Parcel and Vite RSC plugins

Playbook Triggers#

  • Manually - Create a new incident and select this playbook from the dropdown menu.

Playbook Flow#

  1. Collects IOCs from the Unit42 blog.
  2. Uses XQL to detect any suspicious command lines indicative of exploitation of this vulnerability.
  3. Investigates the command lines to identify malicious indicators related to the vulnerability.
  4. Uses XQL to hunt for malicious IOCs.
  5. Isolates possible compromised servers.
  6. Blocks malicious indicators using the "Containment Plan – Block Indicators" playbook.
  7. Provides mitigation recommendations.

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Containment Plan - Block Indicators

Integrations#

This playbook does not use any integrations.

Scripts#

  • CommandLineAnalysis
  • IsIntegrationAvailable
  • ParseHTMLIndicators
  • SetAndHandleEmpty
  • get-endpoint-data
  • isolate-endpoint

Commands#

  • associateIndicatorsToAlert
  • closeInvestigation
  • createNewIndicator
  • extractIndicators
  • xdr-xql-generic-query

Playbook Inputs#

There are no inputs for this playbook.

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

CVE-2025-55182 and CVE-2025-66478 - React and Next.js Remote Code Execution

Edit this page
Report an Issue