Executive Summary
In April 2025, security researchers disclosed critical vulnerabilities (CVE-2025-55182 and CVE-2025-66478) affecting the React and Next.js frameworks, specifically tied to unsafe data serialization and deserialization mechanisms in the Server Actions and Flight protocol. Attackers exploited the flaw to achieve remote code execution (RCE), enabling credential harvesting, lateral movement, and persistent access across affected environments. Within days of the CVEs’ disclosures, weaponized public exploit scripts proliferated on GitHub, compressing defenders’ reaction times and raising the risk of widespread attacks on applications running modern web stacks.
This incident highlights the persistent danger of insecure serialization across software ecosystems, a threat pattern seen across at least a decade and multiple development languages. As AI-augmented coding accelerates release cycles, the lessons of past serialization flaws remain vital to protect emerging cloud-native applications from rapidly evolving threats.
Why This Matters Now
Exploitation of deserialization flaws like CVE-2025-55182 is accelerating due to rapid public disclosure and automation. The time between vulnerability disclosure and active attacks is shrinking, leaving organizations with minimal response windows. Secure coding and advanced detection are urgently required as similar vulnerabilities are actively targeted across modern application stacks.
Attack Path Analysis
The adversary exploited a deserialization vulnerability in a cloud application framework (React/Next.js) for initial compromise, gaining remote code execution. They quickly escalated privileges, harvesting environment variable credentials and accessing sensitive metadata endpoints. Using these credentials, attackers moved laterally across cloud workloads or services. A command-and-control channel was established to maintain persistence and orchestrate post-exploitation tasks. Sensitive data and credentials were exfiltrated using covert or encoded channels. Finally, the attacker could disrupt operations or establish persistence mechanisms, potentially causing business or operational impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a publicly known deserialization flaw in the Next.js Flight protocol via malicious POST requests, achieving remote code execution at the application layer.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components allows attackers to execute arbitrary code via unsafe deserialization of HTTP request payloads.
Affected Products:
Meta React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Meta react-server-dom-webpack – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Meta react-server-dom-parcel – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Meta react-server-dom-turbopack – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Exploit Status:
exploited in the wildCVE-2025-55184
CVSS 7.5A pre-authentication denial of service vulnerability in React Server Components allows attackers to cause an infinite loop, hanging the server process and preventing future HTTP requests.
Affected Products:
Meta React Server Components – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-webpack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-parcel – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-turbopack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
proof of conceptCVE-2025-55183
CVSS 5.3A source code exposure vulnerability in React Server Components allows attackers to retrieve compiled source code of server functions, potentially revealing business logic and secrets.
Affected Products:
Meta React Server Components – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-webpack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-parcel – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Meta react-server-dom-turbopack – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
proof of conceptCVE-2025-67779
CVSS 7.5An incomplete fix for CVE-2025-55184 in React Server Components allows attackers to cause an infinite loop, hanging the server process and preventing future HTTP requests.
Affected Products:
Meta React Server Components – 19.0.2, 19.1.3, 19.2.2
Meta react-server-dom-webpack – 19.0.2, 19.1.3, 19.2.2
Meta react-server-dom-parcel – 19.0.2, 19.1.3, 19.2.2
Meta react-server-dom-turbopack – 19.0.2, 19.1.3, 19.2.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation of Remote Services
Data from Local System
Unsecured Credentials: Credentials in Files
Exfiltration Over C2 Channel
Process Injection
Event Triggered Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerabilities Management
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management - Vulnerability Management
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Application Security Testing
Control ID: Application Pillar: 3.5
NIS2 Directive – Supply Chain Security - Vulnerability Handling
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
React/Next.js serialization vulnerabilities expose web applications to RCE attacks, requiring immediate patching and deserialization security reviews across development frameworks.
Financial Services
Serialization flaws threaten customer data and transaction systems, requiring zero-trust segmentation and encrypted traffic controls per compliance frameworks.
Health Care / Life Sciences
Patient data at risk from deserialization attacks on web applications, demanding HIPAA-compliant encryption and anomaly detection capabilities.
Information Technology/IT
IT infrastructure vulnerable to lateral movement through serialization exploits, necessitating Kubernetes security and multicloud visibility controls immediately.
Sources
- The Bug That Won't Die: 10 Years of the Same Mistakehttps://www.recordedfuture.com/blog/the-bug-that-wont-dieVerified
- CVE-2025-55182 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-55182Verified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- Security Advisory: CVE-2025-66478https://nextjs.org/blog/CVE-2025-66478Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, threat detection, east-west controls, and egress policy enforcement—central CNSF capabilities—would have constrained the deserialization exploit, throttled lateral movement, detected post-compromise anomalies, and restricted both C2 and exfiltration channels to limit incident blast radius.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of malicious or anomalous POST requests targeting application endpoints.
Control: Zero Trust Segmentation
Mitigation: Isolation of workload-to-metadata and workload-to-workload communications by default.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal traffic between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound connections or C2 communications.
Control: Cloud Firewall (ACF)
Mitigation: Detection and prevention of unauthorized data egress to malicious or unknown destinations.
Rapid detection and containment of attacker-induced changes or damage.
Impact at a Glance
Affected Business Functions
- Web Application Services
- User Authentication
- Data Processing
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user data and proprietary business logic due to source code leakage.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and explicit workload-to-workload policies to prevent lateral movement from web-exposed services.
- • Implement anomaly detection and continuous monitoring for anomalous API, POST, or serialization activity at cloud ingress points.
- • Rigorously apply egress policy and cloud firewall controls to block unauthorized outbound channels, including potential C2 or exfiltration flows.
- • Deploy microsegmentation and least-privilege access controls for cloud and container workloads to reduce blast radius post-compromise.
- • Maintain centralized, real-time visibility across multicloud/application environments to accelerate detection and response to emerging exploits.
