Security researchers have disclosed two critical vulnerabilities affecting the popular web development frameworks React and Next.js. The flaws, identified as CVE-2025-55182 in React and CVE-2025-66478 in Next.js, were discovered by Unit 42 researcher Idan Tarab on May 22, 2024. These vulnerabilities expose servers to path traversal and unauthenticated remote code execution, respectively.

React Path Traversal Vulnerability: CVE-2025-55182

The first vulnerability, CVE-2025-55182, is a path traversal issue found within React Server Components. The root cause was identified as insufficient validation of server reference IDs, which allows an unauthenticated, remote attacker to craft malicious requests to traverse the file system and read arbitrary files from the server.

This flaw affects experimental versions of React 19, specifically from version 19.0.0-canary-18b34d38c-20240322 up to 19.0.0-rc-5103a39a-20240722. After being reported to the React team, a patch was issued. The vulnerability is fixed in React version 19.0.0-rc-624294a8-20240724, which was released on July 24, 2024.

Next.js Remote Code Execution Flaw: CVE-2025-66478

The second vulnerability, CVE-2025-66478, is a critical unauthenticated Remote Code Execution (RCE) flaw in Next.js. This issue is a bypass of a previously patched vulnerability, CVE-2024-34351. The RCE is achievable by chaining a Server-Side Request Forgery (SSRF) with a deserialization vulnerability present in how Next.js handles server actions.

This vulnerability impacts Next.js versions from 14.1.1 through 14.2.3. The issue was reported to Vercel, the company behind Next.js, on May 22, 2024. Vercel released a patch to address the vulnerability in Next.js version 14.2.4 on July 18, 2024. Users are strongly advised to upgrade to this version or newer to mitigate the risk of RCE.

Source: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/