CVE-2025-66478: RCE in React Server Components
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Bulletin ID: AWS-2025-030 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/03 20:00 PM PST Description: AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution on affected applications servers. AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182. Customers using managed AWS services are not affected, and no action is required. Customers running an affected version of React or Next.js in their own environments should update to the latest patched versions immediately: - Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1 - Customers using Next.js 15-16 with App Router should update to a patched version
CSIRTS triage
- What
- An issue may permit unauthorized remote code execution on affected application servers.
- Who is affected
- Customers running affected versions of React or Next.js in their own environments.
- Urgency
- Remediation is urgent due to the potential for exploitation.
- Action
- Update to the latest patched versions immediately.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch React
Get an email when a new React advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2025-66478Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now.
- Exploitation confirmedCVE-2025-55182Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 100% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-66478 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-55182 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2025-55182: Meta React Server Components Remote Code Execution Vulnerabilitycisa-kev
- unknownexploited[Update] Vulnerability in React Server Components (December 5, 2025)cert-fr-alerte
- critical2025-041: Critical Security Vulnerability in React Server Componentscert-eu
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01