Number: AL25-018
Date: December 4, 2025
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On December 3, 2025, the Cyber Centre became aware of a critical pre-authentication remote code execution (RCE) vulnerabilityFootnote 1, tracked as CVE-2025-55182Footnote 2, in the React Server Components (RSC) "Flight" protocol affecting React 19 ecosystems and frameworks that implement it, most notably Next.js. This vulnerability stems from insecure deserialization, exploiting a flaw in how React decodes payloads from HTTP requests and sends them to React Server Function endpoints, potentially allowing unauthenticated RCE on the server.
The Cyber Centre has observed open-source reporting indicating that multiple Proofs of Concept (PoC) are available and that the vulnerability can easily be exploited in the wildFootnote 3.
On December 3, 2025, and in response to this vulnerability, the Cyber Centre released AV25-804Footnote 4.
Suggested actions
The Cyber Centre recommends that organizations patch their React instances to the following versions:
| Component | Affected versions | Fixed versions |
|---|---|---|
| React-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1 and 19.2.0 | 19.0.1, 19.1.2 and 19.2.1 |
| React-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1 and 19.2.0 | 19.0.1, 19.1.2 and 19.2.1 |
| React-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1 and 19.2.0 | 19.0.1, 19.1.2 and 19.2.1 |
Libraries and frameworks that bundle react-server implementations are likely to be affected. Common examples include:
- Next.js (versions 15.x, 16.x and 14.3.0-canary.77 and later versions)
- CVE-2025-66478Footnote 5 has been declared as a duplicate of CVE-2025-55182
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
It is imperative that organizations identify and prioritize the patching of vulnerable systems promptly, following vendor provided guidanceFootnote 1.
If immediate patching isn't possible, reduce exposure by:
- Enabling WAF: Configure your Web Application Firewall to block malicious or malformed requests targeting React Server Function endpoints.
- Restricting Access: Use network ACLs or firewalls to limit access to trusted IPs or networks.
- Disabling RSC: Temporarily remove Server Components and Server Functions; applications without RSC are not affected by this vulnerability.
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security Actions with an emphasis on the following topicsFootnote 6.
- Patching operating systems and applications
- Segment and separate information
- Isolating Web-Facing applications
Should activity matching the content of this alert be discovered, recipients are encouraged to report via My Cyber Portal, or email contact@cyber.gc.ca.