CVE-2025-55184 and CVE-2025-55183: Critical Next.js Security Vulnerabilities You Must Fix Now

In December 2025, the React and Next.js communities faced multiple critical security vulnerabilities affecting React Server Components (RSC) and Next.js applications. Among these, CVE-2025-55184 (denial of service) and CVE-2025-55183 (source code exposure) pose severe risks to Next.js App Router applications running on React 19.

If your application uses Next.js with the App Router and React Server Components, immediate action is required. This comprehensive security guide provides everything you need to understand, detect, and remediate these vulnerabilities.

Quick Action Required

🚨 Check Your Application Now: Use our Free Next.js RCE Scanner to instantly check if your application is vulnerable to CVE-2025-55182, CVE-2025-55184, and CVE-2025-55183.

🛡️ Need Expert Help? Get a Free Penetration Test from our certified security professionals to comprehensively assess your application's security posture.

Understanding the Threat Landscape

React Server Components introduced a powerful new paradigm for building web applications, but with that power comes new attack surfaces. The vulnerabilities disclosed in December 2025 exploit weaknesses in how Next.js deserializes and processes React Server Component payloads.

Key Facts You Need to Know

• CVE-2025-55184 (High Severity): Allows attackers to crash Next.js servers through malicious HTTP requests
• CVE-2025-55183 (Medium Severity): Enables extraction of compiled Server Action source code
• Affected Framework: Next.js 13.3+ with App Router (Pages Router is NOT affected)
• Attack Complexity: Low—attackers need only craft specific HTTP requests
• Authentication Required: None—these are unauthenticated attacks
• Fix Availability: Patches available for all affected versions
• Workarounds: None—upgrading is mandatory

CVE-2025-55184: Denial of Service Vulnerability

What Is CVE-2025-55184?

CVE-2025-55184 is a high-severity denial of service (DoS) vulnerability in Next.js that affects applications using the App Router with React Server Components. This vulnerability allows attackers to send specially crafted HTTP requests that cause the server process to hang indefinitely, consuming CPU resources and preventing legitimate users from accessing the application.

Technical Details

Attack Vector:

When a malicious HTTP request is sent to any App Router endpoint, the deserialization process can be exploited to trigger an infinite loop. This occurs during the processing of React Server Component payloads, where improper validation allows malformed data structures to cause the server to enter an unrecoverable state.

Attack Characteristics:

• No Authentication Required: Attackers can send malicious requests without any credentials
• Any App Router Endpoint: All endpoints using React Server Components are vulnerable
• Resource Exhaustion: The server process hangs and consumes CPU indefinitely
• Service Disruption: Prevents all future HTTP requests from being processed
• Easy Exploitation: Requires only basic HTTP request crafting skills

Impact on Production Systems:

1. Complete Service Outage: Legitimate users cannot access the application
2. Revenue Loss: E-commerce and SaaS applications lose customer transactions
3. Reputation Damage: User trust erodes when services are unavailable
4. Operational Burden: DevOps teams must constantly restart crashed servers
5. Resource Costs: Wasted compute resources from hung processes

Real-World Attack Scenario

Imagine an e-commerce platform running Next.js 15.4.0. An attacker discovers the site uses React Server Components and crafts a malicious payload:

POST /api/products HTTP/1.1
Host: example.com
Content-Type: text/x-component
[Crafted malicious RSC payload]

Within seconds, the server process enters an infinite loop. The CPU usage spikes to 100%, and the server stops responding to all requests. Customers see timeout errors, abandoned shopping carts accumulate, and revenue is lost until the DevOps team restarts the server—only for the attack to repeat.

Important Update: CVE-2025-67779

Critical: The initial fix for CVE-2025-55184 was incomplete. A complete fix was later issued under CVE-2025-67779. Organizations that upgraded to address CVE-2025-55184 must upgrade again to ensure complete protection against this denial of service attack.

Affected Versions

Next.js Version Range	Status	Fixed In
13.3.x to 14.1.x	Affected (DoS only)	14.2.35
14.2.x to 14.2.34	Affected (DoS only)	14.2.35
15.0.x to 15.0.6	Affected	15.0.7
15.1.x to 15.1.10	Affected	15.1.11
15.2.x to 15.2.7	Affected	15.2.8
15.3.x to 15.3.7	Affected	15.3.8
15.4.x to 15.4.9	Affected	15.4.10
15.5.x to 15.5.8	Affected	15.5.9
16.0.x to 16.0.9	Affected	16.0.10
Canary releases	Affected	15.6.0-canary.60, 16.1.0-canary.19

Important: Pages Router applications are NOT affected, but upgrading is still recommended for security best practices.

How to Fix CVE-2025-55184

Upgrade to the following patched versions for complete protection (including CVE-2025-67779 fix):

# For Next.js 14.x
npm install [email protected]

# For Next.js 15.0.x
npm install [email protected]

# For Next.js 15.1.x
npm install [email protected]

# For Next.js 15.2.x
npm install [email protected]

# For Next.js 15.3.x
npm install [email protected]

# For Next.js 15.4.x
npm install [email protected]

# For Next.js 15.5.x
npm install [email protected]

# For Next.js 16.0.x
npm install [email protected]

# For canary users
npm install [email protected]   # for 15.x canary
npm install [email protected]   # for 16.x canary

Automated Fix Tool:

npx fix-react2shell-next

This interactive tool checks your current version and performs deterministic version bumps. See the fix-react2shell-next repository for details.

Detection and Monitoring

Log Analysis:

Look for unusual patterns in your server logs:

# Check for repeated requests causing server hangs
grep "timeout" /var/log/nextjs/access.log | wc -l

# Monitor for CPU spikes
top -p $(pgrep -f "next")

# Check for suspicious POST requests to App Router endpoints
grep "POST.*/_next/" /var/log/nextjs/access.log

Metrics to Monitor:

• CPU usage spikes to 100%
• Response time increases dramatically
• Request queue backlog growing
• Server process restarts
• Health check failures

Web Application Firewall (WAF) Rules:

If you're hosted on Vercel, WAF rules were automatically deployed to protect your applications at no additional cost. For self-hosted applications, consider implementing:

• Rate limiting on App Router endpoints
• Request size limits
• Suspicious payload detection
• Anomaly-based monitoring

CVE-2025-55183: Source Code Exposure Vulnerability

What Is CVE-2025-55183?

CVE-2025-55183 is a medium-severity information disclosure vulnerability in Next.js that allows attackers to extract the compiled source code of Server Actions through specially crafted HTTP requests. While less critical than CVE-2025-55184, this vulnerability can reveal sensitive business logic and potentially expose security weaknesses in your application.

Technical Details

Attack Vector:

When processing certain malformed HTTP requests, Next.js Server Functions can inadvertently return their own compiled source code instead of the expected response. This occurs due to improper handling of specific request patterns that trigger an error condition in the Server Action serialization logic.

What Gets Exposed:

The compiled source code reveals:

• Business Logic: Proprietary algorithms and application workflows
• API Endpoints: Internal API routes and their parameters
• Data Structures: Object schemas and database query patterns
• Validation Rules: Input validation and sanitization logic
• Third-Party Integrations: External service endpoints and integration patterns
• Hardcoded Secrets (if present): API keys, tokens, or credentials embedded in code

Important: Environment variables are NOT exposed through this vulnerability—only code that developers have written directly into Server Actions.

Risk Assessment

Medium Severity, High Impact:

While CVE-2025-55183 is rated as medium severity, the real-world impact depends on your codebase:

Low Risk:

• Server Actions only perform CRUD operations
• No hardcoded credentials
• Business logic is generic
• External APIs use environment variables

High Risk:

• Proprietary algorithms implemented in Server Actions
• Hardcoded API keys or secrets (bad practice but it happens)
• Complex business logic that provides competitive advantage
• Security validation logic that could be circumvented

Real-World Attack Scenario

A financial technology application uses Server Actions to calculate loan interest rates using a proprietary algorithm. An attacker discovers this vulnerability and crafts a request:

POST /_next/data/buildId/api/calculate-rate HTTP/1.1
Host: fintech-app.com
[Crafted malicious payload]

The server responds with the compiled source code:

// Compiled Server Action source exposed
async function calculateInterestRate(creditScore, loanAmount, term) {
  // Proprietary algorithm revealed
  const baseRate = 0.035;
  const riskFactor = (850 - creditScore) / 1000;
  const amountFactor = Math.log(loanAmount) / 15;
  return baseRate + riskFactor + amountFactor;
}

Now the attacker understands the exact algorithm used for rate calculations, potentially enabling them to game the system or build a competing product using the same logic.

Affected Versions

CVE-2025-55183 affects the same version ranges as CVE-2025-55184:

• Next.js 15.0.x through 15.5.x
• Next.js 16.0.x
• Canary releases

How to Fix CVE-2025-55183

The same version upgrades that fix CVE-2025-55184 also address CVE-2025-55183. Follow the upgrade instructions in the previous section.

Additional Security Recommendations

1. Never Hardcode Secrets:

// ❌ BAD: Hardcoded secret in Server Action
"use server";
async function fetchUserData(userId) {
  const apiKey = "sk_live_abc123xyz"; // NEVER DO THIS
  // ...
}

// ✅ GOOD: Use environment variables
"use server";
async function fetchUserData(userId) {
  const apiKey = process.env.API_KEY;
  // ...
}

2. Audit Your Codebase:

Use tools like git-secrets or TruffleHog to scan for accidentally committed secrets:

# Install TruffleHog
pip install trufflehog

# Scan your repository
trufflehog filesystem . --json

# Install git-secrets
brew install git-secrets

# Scan for AWS keys
git secrets --scan

3. Assume Source Code is Public:

Adopt the mindset that your source code could be exposed at any time:

• Use environment variables for all sensitive configuration
• Implement security through proper authentication and authorization, not obscurity
• Encrypt sensitive data at rest and in transit
• Use API gateways and rate limiting for external integrations

4. Review What Was Potentially Exposed:

If you suspect your application was vulnerable during the disclosure period:

1. Inventory all Server Actions in your codebase
2. Review each action for hardcoded secrets or sensitive logic
3. Rotate any credentials that may have been exposed
4. Consider whether disclosed algorithms pose a competitive risk
5. Implement additional security controls if business logic was revealed

Related Vulnerability: CVE-2025-55182 (React2Shell)

The Context You Need

While this blog focuses on CVE-2025-55184 and CVE-2025-55183, it's important to understand the broader security landscape. CVE-2025-55182, nicknamed "React2Shell," is a critical remote code execution (RCE) vulnerability affecting React Server Components.

Why React2Shell Matters

CVE-2025-55182 is the most severe of the December 2025 React vulnerabilities, with a CVSS score of 10.0 (maximum severity). Unlike the DoS and source code exposure vulnerabilities, React2Shell allows attackers to execute arbitrary code on the server, leading to complete system compromise.

Key Facts:

• Severity: Critical (CVSS 10.0)
• Attack Vector: Unauthenticated remote code execution via crafted RSC payloads
• Affected: React Server Components (react-server-dom packages 19.0.x - 19.2.1)
• Exploitation: Active exploitation observed in the wild since December 5, 2025
• Impact: Full server compromise, credential theft, malware deployment

CVE-2025-66478: The Next.js Variant

CVE-2025-66478 was initially assigned to track the downstream impact of React2Shell on Next.js applications. However, it has since been rejected as a duplicate of CVE-2025-55182, as both vulnerabilities stem from the same underlying flaw in React's RSC implementation.

Are You Affected by React2Shell?

Next.js Affected Versions:

• All Next.js 15.x versions
• All Next.js 16.x versions
• Next.js 14.3.0-canary.77 and later canary releases

NOT Affected:

• Next.js 13.x stable
• Next.js 14.x stable (except canary builds 14.3.0-canary.77+)
• Pages Router applications
• Edge Runtime deployments

How to Protect Against React2Shell

If your application is vulnerable to CVE-2025-55182, upgrade immediately:

# Next.js 15.x patched releases
npm install [email protected]   # for 15.0.x
npm install [email protected]   # for 15.1.x
npm install [email protected]   # for 15.2.x
npm install [email protected]   # for 15.3.x
npm install [email protected]   # for 15.4.x
npm install [email protected]   # for 15.5.x

# Next.js 16.x patched release
npm install [email protected]   # for 16.0.x

Critical: If your application was online and unpatched as of December 4, 2025 at 1:00 PM PT, you must:

1. Upgrade immediately to a patched version
2. Rotate all secrets (database credentials, API keys, tokens, certificates)
3. Scan for indicators of compromise (cryptominers, backdoors, unauthorized access)
4. Review logs for suspicious activity during the exposure window

For more information on React2Shell, see the official Next.js Security Advisory and React Blog Post.

---

⚡ Quick Vulnerability Check: Concerned about CVE-2025-55182 (React2Shell)? Use our Free Next.js RCE Scanner to check your application in seconds. Our scanner detects all three vulnerabilities: CVE-2025-55182, CVE-2025-55184, and CVE-2025-55183.

---

Who Is Affected?

Application Types at Risk

Affected Applications:

✅ Next.js 13.3+ with App Router ✅ React Server Components in production ✅ Applications using Server Actions ✅ Projects on Next.js 15.x or 16.x ✅ Canary releases 14.3.0-canary.77+

NOT Affected:

❌ Next.js Pages Router applications ❌ Next.js 13.x stable without App Router ❌ Next.js 14.x stable (except canary builds) ❌ Client-side React applications ❌ Static site generation (SSG) only sites

Industry Impact

According to research by Wiz, 39% of cloud environments contain vulnerable instances, with 44% of all cloud environments hosting publicly exposed Next.js applications.

High-Risk Industries:

• E-commerce: Service disruption impacts revenue directly
• Financial Services: Source code exposure could reveal sensitive algorithms
• SaaS Platforms: Multi-tenant applications amplify impact
• Healthcare: HIPAA compliance requires immediate patching
• Government: Critical infrastructure must maintain availability

Framework Ecosystem Impact

Beyond Next.js, other frameworks using React Server Components are also affected:

• Vite RSC
• Parcel RSC
• React Router RSC
• RedwoodSDK
• Waku

Check with your framework's security advisories for specific patching guidance.

Step-by-Step Remediation Guide

Phase 1: Assessment (15 minutes)

1. Check Your Next.js Version:

npm list next

Compare your installed version against the affected versions listed above.

2. Check Your React Version:

npm list react react-dom

If you're on React 19.x, you may also be affected by CVE-2025-55182 (React2Shell).

3. Identify App Router Usage:

# Check if you have an app directory
ls -la app/

# Search for Server Actions
grep -r "use server" app/

4. Prioritize Based on Exposure:

• Critical: Public-facing applications with App Router
• High: Internal applications with sensitive data
• Medium: Development/staging environments
• Low: Applications using only Pages Router

Phase 2: Upgrade (30 minutes)

1. Backup Your Project:

# Commit all changes
git add .
git commit -m "Pre-security-patch backup"

# Create a backup branch
git checkout -b backup-before-security-patch
git checkout main

2. Update Next.js (Automated Method):

npx fix-react2shell-next

This tool will:

• Detect your current Next.js version
• Recommend the appropriate patched version
• Update package.json
• Run npm install
• Verify the installation

3. Update Next.js (Manual Method):

# Determine your current major.minor version
npm list next

# Install the appropriate patch
npm install [email protected]    # example for 15.0.x

# Update package-lock.json
npm install

# Verify the update
npm list next

4. Test Your Application:

# Run in development mode
npm run dev

# Check for console errors
# Test critical user flows
# Verify Server Actions work correctly

# Run automated tests if available
npm test

# Build for production
npm run build

# Test production build locally
npm start

Phase 3: Deployment (varies by platform)

For Vercel:

git add package.json package-lock.json
git commit -m "Security patch: CVE-2025-55184, CVE-2025-55183"
git push origin main

Vercel will automatically build and deploy. Monitor the deployment logs for any issues.

For Self-Hosted (Docker):

# Rebuild Docker image
docker build -t myapp:latest .

# Stop old container
docker stop myapp

# Start new container
docker run -d --name myapp -p 3000:3000 myapp:latest

# Verify deployment
curl http://localhost:3000/api/health

For Kubernetes:

# Build and push new image
docker build -t registry.example.com/myapp:v1.2.3 .
docker push registry.example.com/myapp:v1.2.3

# Update deployment
kubectl set image deployment/myapp myapp=registry.example.com/myapp:v1.2.3

# Monitor rollout
kubectl rollout status deployment/myapp

# Verify pods are healthy
kubectl get pods -l app=myapp

Phase 4: Verification (15 minutes)

1. Verify Deployment:

# Check Next.js version in production
curl https://yourapp.com/_next/static/chunks/webpack-*.js | grep -o "Next.js [0-9.]*"

# Verify server is responding
curl -I https://yourapp.com

# Test a Server Action endpoint
curl -X POST https://yourapp.com/api/your-server-action

2. Monitor for Issues:

• Check error tracking (Sentry, GlitchTip, etc.)
• Review server logs for anomalies
• Monitor performance metrics
• Verify all critical user flows work

3. Document the Patch:

Create an incident report documenting:

• Vulnerability disclosure date
• Assessment timeline
• Patch deployment time
• Any issues encountered
• Lessons learned

Phase 5: Security Hardening (ongoing)

1. Continuous Vulnerability Monitoring:

Recommended: Use Cyber AR's Free Scanner

Set up continuous monitoring with our Free Next.js RCE Scanner:

• Automated daily scans
• Instant notifications for new vulnerabilities
• Zero configuration required
• No credit card needed

Additional Tools:

# Use npm audit for dependency scanning
npm audit

# Enable Dependabot on GitHub for automatic dependency updates
# Configure in GitHub repository settings

# Optional: Snyk for additional coverage
npx snyk test

2. Professional Security Assessment:

Consider getting a Free Penetration Test from Cyber AR to:

• Identify vulnerabilities beyond CVE scanners
• Test your application's complete security posture
• Receive expert remediation guidance
• Validate your security controls

3. Implement WAF Rules:

If self-hosting, consider implementing WAF rules to detect and block malicious RSC payloads:

• Rate limiting on App Router endpoints
• Request size limits (e.g., 1MB max)
• Suspicious header detection
• Anomaly-based traffic analysis

3. Subscribe to Security Advisories:

• Next.js Security Blog
• React Security Announcements
• GitHub Security Advisories
• CVE Notifications

How to Detect If You're Vulnerable

Manual Verification

1. Check Package Version:

# View package.json
cat package.json | grep next

# View installed version
npm list next

# View lock file version
cat package-lock.json | grep '"next"'

2. Check for App Router Usage:

# Check if app directory exists
ls -la app/

# Count Server Actions
grep -r "use server" app/ | wc -l

# List all Server Action files
grep -rl "use server" app/

3. Test for Vulnerability (Safely):

Do NOT perform this test on production systems without authorization.

Create a test endpoint in your development environment:

// app/api/test-vulnerability/route.ts
import { NextRequest, NextResponse } from 'next/server';

export async function POST(request: NextRequest) {
  const body = await request.json();
  return NextResponse.json({ received: body });
}

Send a crafted request to test deserialization behavior (in development only).

Automated Scanning Tools

1. Dependabot (GitHub):

Enable Dependabot security updates in your GitHub repository settings. It will automatically create pull requests to patch vulnerable dependencies.

2. Snyk:

# Install Snyk CLI
npm install -g snyk

# Authenticate
snyk auth

# Scan for vulnerabilities
snyk test

# Monitor continuously
snyk monitor

3. npm audit:

# Check for known vulnerabilities
npm audit

# View detailed report
npm audit --json

# Automatically fix (use with caution)
npm audit fix

4. Cyber AR Free Next.js RCE Scanner:

Use our Free Next.js RCE Scanner to instantly check if your application is vulnerable to CVE-2025-55182, CVE-2025-55184, and CVE-2025-55183. Our scanner provides:

• Instant vulnerability detection for all three CVEs
• Detailed vulnerability reports
• No registration required
• Actionable remediation guidance
• Continuous monitoring capabilities

This is the fastest way to determine if your Next.js application is at risk.

Cloud Environment Scanning

For AWS:

# List EC2 instances running Next.js
aws ec2 describe-instances --filters "Name=tag:Application,Values=nextjs"

# Use AWS Inspector for vulnerability scanning
aws inspector2 create-findings-report

For Google Cloud Platform:

# List Compute Engine instances
gcloud compute instances list

# Use Cloud Security Command Center
gcloud scc findings list

For Azure:

# List virtual machines
az vm list

# Use Microsoft Defender for Cloud
az security alert list

For Kubernetes:

# List all Next.js pods
kubectl get pods -l app=nextjs --all-namespaces

# Use vulnerability scanning tools
kubectl get vulnerabilityreports

Security Best Practices

Immediate Actions

1. Patch Management Policy:

Establish a policy for critical security patches:

• Critical (CVSS 9.0-10.0): Patch within 24 hours
• High (CVSS 7.0-8.9): Patch within 48 hours
• Medium (CVSS 4.0-6.9): Patch within 1 week
• Low (CVSS 0.1-3.9): Patch within 1 month

2. Dependency Update Strategy:

# Review outdated packages weekly
npm outdated

# Update minor and patch versions
npm update

# Update major versions carefully
npm install next@latest

3. Security Testing Integration:

# Add to CI/CD pipeline
npm audit
npm run test
npm run build

Long-Term Security Improvements

1. Implement Defense in Depth:

• Network Layer: WAF, DDoS protection, rate limiting
• Application Layer: Input validation, output encoding, CSP headers
• Data Layer: Encryption at rest, encryption in transit
• Identity Layer: Strong authentication, MFA, least privilege access

2. Adopt Secure Development Practices:

• Code reviews for all changes
• Security training for developers
• Threat modeling for new features
• Regular penetration testing - Get a Free Penetration Test from Cyber AR to identify security weaknesses

3. Environment Variable Management:

// ✅ GOOD: Centralized environment validation
// lib/env.ts
import { z } from 'zod';

const envSchema = z.object({
  DATABASE_URL: z.string().url(),
  API_KEY: z.string().min(32),
  NEXTAUTH_SECRET: z.string().min(32),
});

export const env = envSchema.parse(process.env);

4. Secrets Management:

Use dedicated secrets management solutions:

• AWS Secrets Manager
• Google Cloud Secret Manager
• Azure Key Vault
• HashiCorp Vault
• Doppler
• Infisical

5. Web Application Firewall (WAF) Configuration:

If self-hosting, implement WAF rules:

# nginx WAF example
location /_next/ {
    # Rate limiting
    limit_req zone=api burst=10 nodelay;

    # Request size limit
    client_max_body_size 1M;

    # Block suspicious patterns
    if ($http_content_type ~* "text/x-component.*malicious") {
        return 403;
    }

    proxy_pass http://nextjs:3000;
}

6. Monitoring and Alerting:

Set up alerts for security events:

// Example: Monitoring for suspicious Server Action calls
import { logger } from '@/lib/logger';

export async function monitoredServerAction(data: unknown) {
  "use server";

  const startTime = Date.now();

  try {
    // Your server action logic
    const result = await processData(data);

    // Log successful execution
    logger.info('Server action completed', {
      duration: Date.now() - startTime,
      dataSize: JSON.stringify(data).length,
    });

    return result;
  } catch (error) {
    // Log and alert on errors
    logger.error('Server action failed', {
      error,
      data,
      duration: Date.now() - startTime,
    });

    // Send alert to monitoring service
    await sendAlert({
      severity: 'high',
      message: 'Server action failure detected',
      details: { error, data },
    });

    throw error;
  }
}

7. Content Security Policy (CSP):

// next.config.mjs
export default {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: [
              "default-src 'self'",
              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
              "style-src 'self' 'unsafe-inline'",
              "img-src 'self' data: https:",
              "font-src 'self' data:",
              "connect-src 'self' https://api.example.com",
              "frame-ancestors 'none'",
            ].join('; '),
          },
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff',
          },
          {
            key: 'X-Frame-Options',
            value: 'DENY',
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin',
          },
        ],
      },
    ];
  },
};

Incident Response Checklist

If You Suspect Compromise

⬜ Phase 1: Containment (Immediate)

• Isolate affected systems from the network
• Preserve system state for forensic analysis (don't reboot yet)
• Enable verbose logging on all systems
• Notify security team and stakeholders
• Document timeline of events

⬜ Phase 2: Investigation (First Hour)

• Collect system logs (application, access, error logs)
• Review network traffic for suspicious patterns
• Check for unauthorized user accounts
• Identify compromised data or systems
• Take disk images for forensic analysis

⬜ Phase 3: Eradication (First 4 Hours)

• Patch to latest secure version
• Remove any malware or backdoors found
• Rebuild compromised systems from clean backups
• Review and update firewall rules
• Implement additional monitoring

⬜ Phase 4: Recovery (First 24 Hours)

• Restore systems from verified clean backups
• Rotate all credentials (passwords, API keys, certificates)
• Test all critical functionality
• Monitor for signs of persistent compromise
• Gradually restore normal operations

⬜ Phase 5: Lessons Learned (First Week)

• Conduct post-incident review meeting
• Document what happened and how it was resolved
• Identify gaps in security controls
• Update incident response procedures
• Provide security awareness training to team

Evidence Collection

# Collect system information
uname -a > incident-system-info.txt
ps aux > incident-processes.txt
netstat -tulpn > incident-network.txt

# Collect logs
cp -r /var/log/nextjs/ incident-logs/
journalctl -u nextjs > incident-journal.txt

# Collect network traffic (if available)
tcpdump -i any -w incident-traffic.pcap

# Create timeline
grep "suspicious_pattern" /var/log/nextjs/*.log | sort > incident-timeline.txt

Frequently Asked Questions

Q: Are Pages Router applications affected?

A: No, Pages Router applications are NOT affected by CVE-2025-55184 or CVE-2025-55183. However, upgrading to the latest Next.js version is still recommended for general security best practices.

Q: Do I need to rotate secrets after patching CVE-2025-55184 and CVE-2025-55183?

A: For CVE-2025-55184 (DoS) and CVE-2025-55183 (source code exposure), secret rotation is only necessary if:

1. For CVE-2025-55183: You have hardcoded secrets in your Server Actions (which is a bad practice)
2. For CVE-2025-55182 (React2Shell): Your application was exposed and unpatched during the exploitation window (December 4-6, 2025)

CVE-2025-55184 (DoS) does not expose credentials, so rotation is not required unless you also had CVE-2025-55182 exposure.

Q: How do I know if I was exploited?

A: Review your logs for:

CVE-2025-55184 (DoS):

• Unusual spikes in CPU usage
• Server process hangs or crashes
• Repeated timeout errors
• Suspicious POST requests to App Router endpoints

CVE-2025-55183 (Source Code Exposure):

• Unusual requests to Server Action endpoints
• Large response payloads (source code is larger than normal responses)
• Requests with malformed headers or payloads

CVE-2025-55182 (React2Shell):

• Unexpected process execution (cryptominers, shells)
• Outbound network connections to unknown IPs
• New user accounts or SSH keys
• Modified application files

Q: Can I use a Web Application Firewall (WAF) instead of patching?

A: No, WAF rules cannot provide complete protection against these vulnerabilities. While Vercel automatically deployed WAF rules to protect hosted applications, patching is still mandatory. WAF rules provide defense-in-depth but are not a substitute for applying security updates.

Q: What if I can't upgrade immediately?

A: If immediate upgrade is not possible, implement temporary mitigations:

1. Rate Limiting: Limit requests to App Router endpoints
2. Request Size Limits: Block abnormally large payloads
3. Monitoring: Enable verbose logging and alerting
4. Isolation: Isolate vulnerable systems from critical infrastructure

However, these are temporary measures only. Upgrading must be prioritized.

Q: Does this affect static sites generated with Next.js?

A: If your Next.js site is fully static (SSG with no Server Actions or App Router dynamic routes), you are not affected. However, if you use getServerSideProps, Server Actions, or any server-side rendering with App Router, you are vulnerable.

Q: What's the difference between CVE-2025-55184 and CVE-2025-67779?

A: CVE-2025-55184 was the initial DoS vulnerability disclosure. However, the first patch was incomplete, and a more comprehensive fix was released under CVE-2025-67779. The recommended patch versions listed in this article include both fixes.

Q: How can I stay informed about future Next.js security issues?

A: Subscribe to:

• Next.js Blog (security tag)
• Vercel Security Bulletins
• React Security Advisories
• GitHub Watch Notifications for the Next.js repository
• CVE Mailing Lists

Q: Should I be concerned about other React Server Components frameworks?

A: Yes, if you use any of the following frameworks with React Server Components, you should check for security updates:

• Vite RSC
• Parcel RSC
• React Router with RSC
• RedwoodSDK
• Waku

Each framework will release patches according to their own security advisory schedule.

Conclusion

CVE-2025-55184 and CVE-2025-55183 represent serious security vulnerabilities affecting Next.js applications using the App Router with React Server Components. While CVE-2025-55184's denial of service impact can disrupt business operations, CVE-2025-55183's source code exposure can reveal sensitive business logic and potentially hardcoded secrets.

Key Action Items

If you're running Next.js 13.3 or later with App Router:

1. Assess: Check your Next.js version immediately
2. Patch: Upgrade to the latest patched version for your major.minor line
3. Verify: Test thoroughly before deploying to production
4. Monitor: Watch for signs of exploitation or compromise
5. Harden: Implement additional security controls

Beyond These CVEs

Remember that security is an ongoing process, not a one-time fix. The React2Shell vulnerability (CVE-2025-55182) demonstrates that even well-maintained frameworks can have critical flaws. Organizations should:

• Maintain an up-to-date inventory of all dependencies
• Subscribe to security advisories for critical technologies
• Establish SLAs for patching based on vulnerability severity
• Implement defense-in-depth strategies
• Conduct regular security assessments and penetration testing - Request a Free Penetration Test

The Silver Lining

The React and Next.js teams responded swiftly to these vulnerabilities, releasing patches and providing excellent tooling (like fix-react2shell-next) to streamline remediation. The transparent communication and comprehensive documentation demonstrate the maturity of these open-source projects.

However, the responsibility ultimately falls on development teams to apply these updates promptly and maintain secure development practices.

---

Protect Your Application Today

🚨 Scan Your Application: Use our Free Next.js RCE Scanner to instantly check if you're vulnerable to CVE-2025-55182, CVE-2025-55184, and CVE-2025-55183.

🛡️ Comprehensive Security Assessment: Get a Free Penetration Test from our certified security professionals. We'll comprehensively assess your application and provide detailed remediation guidance.

💬 Need Expert Help? Contact Cyber AR for professional security audits, incident response, and ongoing security consulting. Our team specializes in web application security and can help you identify and remediate vulnerabilities before attackers exploit them.

Additional Resources

Official Security Advisories

• Next.js Security Update - December 11, 2025
• Security Advisory: CVE-2025-66478
• Vercel Security Bulletin: CVE-2025-55184 and CVE-2025-55183
• React Blog: Critical Security Vulnerability in React Server Components
• GitHub Security Advisory GHSA-9qr9-h5gf-34mp

CVE Databases

• CVE-2025-55184 Details
• CVE-2025-55183 Details
• CVE-2025-67779 Details (Complete DoS Fix)
• CVE-2025-55182 Details (React2Shell)

Security Research and Analysis

• CVE-2025-55182: React2Shell Analysis and Exploitation - Trend Micro
• React2Shell (CVE-2025-55182): Critical React Vulnerability - Wiz Blog
• Exploitation of Critical Vulnerability in React Server Components - Palo Alto Networks Unit 42
• CVE-2025-55182 (React2Shell): Remote Code Execution - Datadog Security Labs
• React2Shell RCE Vulnerability Explained - Picus Security

Threat Intelligence

• PeerBlight Linux Backdoor Exploits React2Shell - Huntress
• CISA Adds CVE-2025-55182 to Known Exploited Vulnerabilities Catalog
• Critical RSC Bugs in React and Next.js - The Hacker News

Remediation Tools

• fix-react2shell-next - Automated Update Tool
• Next.js Upgrade Guide
• React Server Components Documentation

Stay safe, patch promptly, and follow security best practices to protect your applications and users.