Protect What Matters
Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
CVE-2025-66478 Vulnerability
Published: 4/24/2026
What is CVE-2025-66478 Vulnerability?
CVE-2025-66478 is a vulnerability is a Critical Unauthenticated Remote Code Execution (RCE) flaw.
RCE (Remote Code Execution): It allows an attacker to execute arbitrary code on the target server.
Unauthenticated: No prior authorization or login is required to exploit the flaw.
Root Cause: Insecure Deserialization.
Identified as a critical security flaw, it enables attackers to compromise high-value targets, steal sensitive data, or establish persistence for further malicious activities.
When was it discovered?
CVE-2025-66478 was first disclosed to the public on December 3rd, 2025, after being reported by Wiz Research (specifically Gili Tikochinski, Merav Bar, and Danielle Aminov).
Affected products and patched versions
The vulnerability resides in the react-server package and its implementation of the React Server Components (RSC) "Flight" protocol. Default configurations are vulnerable.
Affected Product | Vulnerable Versions | Patched Releases (Recommended Upgrade) |
React | react-server-dom* (19.0.x, 19.1.x, 19.2.x) | 19.0.1, 19.1.2, and 19.2.1 |
Next.js (with App Router) | 14.3.0-canary, 15.x, 16.x | 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
Other potentially affected frameworks/libraries bundling the react-server implementation:
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
RedwoodSDK
Waku
CVE-2025-66478 Technical Description
The vulnerability (initially tracked as both CVE-2025-55182 in React and CVE-2025-66478 in Next.js, with the latter being a duplicate) is a logical deserialization vulnerability within the React Server Components (RSC) "Flight" protocol.
The flaw occurs when the server processes RSC payloads:
The server fails to safely validate the structure of an incoming payload.
An attacker sends a specially crafted, malformed payload.
The insecure deserialization logic allows the attacker's controlled data to influence the server's execution logic.
This ultimately results in the execution of privileged JavaScript code on the server, leading to RCE.
TTPs (Tactics, Techniques, and Procedures)
Tactic: Execution (Gaining remote access and running code).
Technique:T1190 (Exploitation of Public-Facing Application) and T1498 (Insecure Deserialization).
Procedure: The attack requires only a single, specially crafted HTTP request to the target server, making it extremely simple and highly reliable (near 100% success rate in testing). The attack is unauthenticated and targets applications utilizing React Server Components, especially those built on frameworks like Next.js that are exposed publicly.
IoCs (Indicators of Compromise)
Exploitation has been observed in the wild by security teams (including Wiz Research, Amazon Threat Intelligence, and Datadog), indicating active use.
However, specific traditional IOCs such as file hashes, network traffic signatures, or command-and-control (C2) domains have not been determined. Organizations must rely on monitoring for successful post-exploitation activity, suspicious processes, or network connections originating from their vulnerable application servers.
Known Proof of Concepts (PoCs)
Wiz Research developed a fully working RCE Proof-of-Concept (PoC) with near 100% reliability, though they initially withheld its details to protect the ecosystem.
UPDATE: The article notes that public RCE exploits are now available, meaning the exploit technique is widely known and accessible to attackers.
How to detect and mitigate the vulnerability
The most critical and definitive action is to patch the affected software immediately.
Mitigation (Patching)
Upgrade React and Dependencies: Update your react-server-dom* package and other dependencies to the hardened versions listed in the table above (e.g., React to 19.0.1 or newer, Next.js to 15.0.5 or newer).
Other Frameworks: For other RSC-enabled frameworks (Redwood, Waku, etc.), check their official channels for updates regarding the bundled react-server version and update immediately.
Detection
Vulnerability Scanning: Use vulnerability scanners to check application dependencies against the list of vulnerable versions (react-server-dom* 19.0.x/19.1.x/19.2.x and Next.js 14.x/15.x/16.x).
Impact & risk of CVE-2025-66478 vulnerability
The technical and business impact of CVE-2025-66478 is severe. Exploitation could lead to server compromise, exposing sensitive data or enabling attackers to deploy ransomware. Integrity and availability are also at risk, as attackers might disrupt services or tamper with critical operations.
Mitigation & remediation strategies
Organizations should immediately apply the patch provided by the vendor and secure all endpoints by disabling unused API features. Additionally, implement strict input validation, deploy Web Application Firewalls (WAF), and enable multi-factor authentication (MFA) to reduce exploitability.
CVE-2025-66478 Vulnerability FAQs
CVE-2025-66478 is a remote code execution vulnerability caused by improper input validation. It allows attackers to send malicious payloads to vulnerable API endpoints, enabling arbitrary code execution.
Attackers exploit this vulnerability by sending crafted HTTP requests to affected web servers. Once executed, the payload can compromise the system, install backdoors, or steal sensitive data.
Yes, though patches have been released, many organizations delay updates, leaving systems open to active exploitation. Monitoring and prompt application of patches remain critical defenses.
Organizations should immediately apply patches, employ web application firewalls (WAF), and monitor for unusual activity on affected endpoints. Proactive defenses like regular penetration testing are also recommended.
