Full Report
Explore a decade of deserialization vulnerabilities, from Java to React/Next.js CVEs, and learn how to harden apps and stay ahead with Recorded Future.
Analysis Summary
# Vulnerability: Persistent Deserialization Flaws in Web Frameworks (React/Next.js Focus)
## CVE Details
- CVE ID: CVE-2025-55182 and CVE-2025-66478 (Mentioned alongside a decade of similar flaws)
- CVSS Score: Not explicitly provided, but implied High/Critical given RCE outcome.
- CWE: Likely CWE-502: Deserialization of Untrusted Data.
## Affected Systems
- Products: React, Next.js (specifically Server Actions implementations). Custom RSC implementations outside Next.js.
- Versions: Specific vulnerable versions for 2025 CVEs are not detailed, but context implies issues related to Flight protocol deserialization within Next.js Server Actions. The general issue traces back to flaws like CVE-2015-4852 (Java serialization).
- Configurations: Vulnerable deployment targets are differentiated by App Router vs. Pages Router sites; App Router targets utilizing Server Actions are at risk.
## Vulnerability Description
The vulnerability stems from insecure data serialization/deserialization, specifically within the Flight protocol used by Next.js Server Actions. By sending specially crafted serialized data via the `Next-Action` header in HTTP POST requests, an attacker can trigger arbitrary object reconstruction (gadget chains), leading to Remote Code Execution (RCE). The core issue lies in the `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` modules.
## Exploitation
- Status: Publicly available exploit scripts found on GitHub. Exploited in the wild scenarios are imminent given the speed of exploit availability post-disclosure.
- Complexity: Low (due to public exploit scripts).
- Attack Vector: Network (via crafted POST requests).
## Impact
- Confidentiality: High (Immediate credential harvesting from environment variables).
- Integrity: High (Allows arbitrary code execution and system modification).
- Availability: High (Can lead to system compromise and disruption).
## Remediation
### Patches
- Patches are implied by the disclosure of CVE-2025-55182 and CVE-2025-66478, and should be obtained from the official Next.js/React vendors addressing the Flight protocol deserialization logic.
### Workarounds
1. **Disable Server Actions:** If Server Actions are not in use, consider disabling them entirely.
2. **WAF Rules:** Focus Web Application Firewall (WAF) rules on the relevant endpoint targets identified by the `Next-Action` header.
3. **Asset Inventory:** Differentiate vulnerable App Router targets from safe Pages Router sites by checking for artifacts like `window.__next_f` vs `__NEXT_DATA__`.
## Detection
- **Hunt Anomalous Activity:** Search logs for **anomalous POST requests** where the `Next-Action` header points to malicious targets.
- **Payload Analysis:** Investigate multipart payloads targeting known sinkholes like `__proto__` or unusual serialized JSON structures.
- **Exfiltration Indicator:** Look for **base64 encoded data within error digests**, used by the exploit to exfiltrate stolen information.
- **General Principle:** Assume full compromise (RCE) and prepare Incident Response playbooks accordingly (e.g., checking for lateral movement attempts targeting cloud metadata endpoints or persistence via cron jobs).
## References
- Vendor advisories for CVE-2025-55182 and CVE-2025-66478 (Next.js/React Security Bulletins).
- Relevant historical context on deserialization exploits (e.g., CVE-2015-4852).
- Link discussing weaponized exploit code on GitHub (defanged): hxxps://github.com/levi-gundert/NextRce_RSC_Exploit
- Link discussing GitHub infrastructure abuse (defanged): hxxps://www.recordedfuture.com/research/flying-under-the-radar-abusing-github-malicious-infrastructure
- Historical context link (defanged): hxxps://www.recordedfuture.com/blog/vulnerability-risk-analysis