React/Next.js CVE-2025-55182 Vulnerability Analysis

A critical vulnerability, CVE-2025-55182, was recently disclosed and carries a CVSS 10.0 (the most critical) severity rating. The issue affects React/Next.js environments. Our security research team has analyzed the vulnerability and detected many applications in the Web3 ecosystem running the affected versions, including several that are actively exploitable.

This blogpost is intended to share preliminary information and provide immediate guidance for remediation, as details are still developing and the post will be updated as the situation evolves.

If you need support with verification, mitigation, or further investigation, please reach out to us via Telegram at @certikconsult or email us at [email protected].

Update (Dec 11, 2025):

The React and Nextjs team has disclosed two new CVEs affecting React Server Components, related to "Denial of Service" and "Source Code Exposure". Notably, versions that already include the recent RCE fix are still affected by these newly identified vulnerabilities. Projects are strongly advised to upgrade again to the latest patched versions without delay.

Immediate Actions

For DeFi Builders: Perform a self-check to determine whether your application is using vulnerable versions of the affected dependencies. If so, upgrade to a safe version immediately to eliminate the risk of compromise.

For Users: Exercise heightened caution when interacting with DeFi protocols. Some websites may already be compromised and serving malicious drainers. Stay vigilant, and avoid interacting with a site if anything looks off or behaves unexpectedly.

Self Check

To perform a quick self-check, there are two simple methods to determine whether the application is running vulnerable dependencies.

First, in the browser where the application is loaded, run the command "window.next.version" in the developer console (F12). If the version returned falls within the following ranges, the Next.js installation is vulnerable: 15.0.0–15.0.4, 15.1.0–15.1.8, 15.2.0–15.2.5, 15.3.0–15.3.5, 15.4.0–15.4.7, 15.5.0–15.5.6, or 16.0.0–16.0.6.

Second, on the server, run the command "npm ls react". If the output shows React version 19.0.0, 19.1.0, 19.1.1, or 19.2.0, the application is considered vulnerable.

Additional affected packages are listed here.

Impact

For applications where Remote Code Execution (RCE) exploitation is possible, an attacker may be able to execute arbitrary commands on the server. Potential consequences include:

Accessing or exfiltrating sensitive materials stored on the server, including private keys, API secrets, or internal credentials.
Injecting malicious JavaScript into the served application (e.g., wallet drainers).
Modifying internal application logic or configuration.

Remediation Instructions

Update all affected dependencies to the patched versions as described in the official advisory.

After upgrading, take the extra steps to ensure no vulnerable software remains in use:

Verify that the lockfile (package-lock.json, yarn.lock, or pnpm-lock.yaml) resolves to the updated versions.
Check "node_modules" to confirm that no older react-server-dom-* versions (19.2.0, 19.1.x, or 19.0.0) are still present.
Rebuild and redeploy the application to ensure the updated dependencies are fully applied.
Perform a second-round self-check.

Note: Current analysis indicates that exploitation may depend on certain server conditions. However, the full scope of trigger paths is still being investigated, and additional vectors may exist. Given the evolving nature of this issue, upgrading is recommended even for static sites to eliminate any potential exposure.

Follow-Up Actions

If your environment was running vulnerable versions before the update, treat the incident as a potential compromise and perform additional defensive steps:

Review server logs for suspicious requests, unexpected POSTs/GETs, or anomalous execution patterns.
Rotate all secrets: Signing keys, JWT keys, API tokens, environment variables, OAuth client secrets, etc.
Verify the server and application integrity: check for unauthorized file changes or injected code.
Enable WAF protection (e.g., Cloudflare) to reduce further exploit attempts.

If you need support with verification, mitigation, or further investigation, please reach out to us via Telegram at @certikconsult or email us at [email protected].