WID-SEC-W-2025-2738

WID-SEC-W-2025-2738 PUBLISHED CVSS 9.300000190734863 CRITICAL

Next.js ist ein Framework für React-basierte Web-Anwendungen. React ist eine Open-Source-JavaScript-Bibliothek zur Erstellung von Benutzeroberflächen, insbesondere für Single-Page-Anwendungen.

Risk Scores

CVSS 4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
	Open Source React <19.0.1
	Vercel Next.js <15.4.8
	Open Source React 19.2.1
	Vercel Next.js <15.0.5
	Open Source React <19.2.1
	Vercel Next.js <16.0.7
	Vercel Next.js 15.0.5
	Vercel Next.js 15.5.7
	Vercel Next.js 15.4.8
	Vercel Next.js 15.3.6
	Open Source React 19.0.1
	Vercel Next.js <15.3.6
	Vercel Next.js <15.1.9
	Vercel Next.js 15.2.6
	Vercel Next.js <15.2.6
	Vercel Next.js <15.5.7
	Open Source React <19.1.2
	Vercel Next.js 15.1.9
	Open Source React 19.1.2
	Vercel Next.js 16.0.7

Exploit Intelligence

react2shell - CVE-2025-55182 (Next.js: CVE-2025-66478) - Unauthenticated RCE in React Server Components (Flight Protocol) - PoC Exploit (github-poc-repo)
A Chrome extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications (github-poc-repo)
nilfredb/CVE-2025-66478-Research-Proof-of-Concept (github-poc-repo)
nilfredb/CVE-2025-66478-Research-Proof-of-Concept (github-poc)
Z3ROROOT3R/CVE-2025-66478 (github-poc)
RCE exploit PoC for CVE-2025-55182 and CVE-2025-66478 in Next.js and React Server Components with scanner and exploitation tools. (github-poc-repo)
React2Shell is a high-performance vulnerability scanner written in Go, specifically designed to detect Server-Side Remote Code Execution (RCE) vulnerabilities in Next.js applications (CVE-2025-55182 & CVE-2025-66478). (github-poc-repo)
React2shell exploit (CVE-2025-55182+CVE-2025-66478) (github-poc-repo)
A Firefox extension for detecting React2Shell vulnerabilities (CVE-2025-55182 & CVE-2025-66478) in web applications. (github-poc-repo)
Precision-Based Detection of RSC/Next.js Remote Code Execution Vulnerabilities (CVE-2025-55182, CVE-2025-66478) (github-poc-repo)

…and 74 more exploits

Timeline

Jun 24, 2024 PoC Published
Dec 3, 2025 CVE Published
Dec 4, 2025 CVE Updated
Dec 5, 2025 PoC Published
Dec 5, 2025 PoC Published
Dec 6, 2025 PoC Published
Dec 7, 2025 PoC Published
Dec 9, 2025 PoC Published
Dec 9, 2025 PoC Published

References

Open in Interactive Console →