Beagle Security’s pentesting platform actively detects CVE-2025-55182, a CVSS 10.0 remote code execution vulnerability affecting Next.js applications using the App Router.
The vulnerability exploits weaknesses in React Server Components (RSC) protocol handling, allowing attackers to inject malicious inputs that execute code on unpatched servers.
CVE-2025-66478, initially tracked as a separate Next.js advisory, has been rejected as a duplicate of CVE-2025-55182. CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog on December 5, 2025, confirming active exploitation. Organizations running Next.js must verify exposure immediately.
Why dynamic application security testing matters for this vulnerability
Framework-level vulnerabilities like CVE-2025-55182 only manifest during actual request handling.
Dependency scanners identify affected package versions but can’t confirm whether your deployed configuration exposes exploitable endpoints. Custom middleware, routing logic, and framework variations all affect real-world exploitability in ways that static analysis misses entirely.
Beagle Security validates vulnerability presence by simulating actual attacks against running applications. The platform:
Identifies Next.js applications through framework fingerprinting
Detects exposed React Server Components endpoints
Validates whether endpoints accept external input in exploitable patterns
Confirms successful payload injection that triggers server-side execution
This approach eliminates false positives from version-only checks and catches vulnerable configurations that might otherwise go unnoticed until exploitation occurs.
How CVE-2025-55182 enables remote code execution
React Server Components execute code on the server and send rendered results to clients. Next.js implements this through specialized endpoints handling serialized component data.
The vulnerability chain works like this:
Attacker sends crafted input to an RSC endpoint
Next.js server deserializes input without proper validation
Malicious payload executes on the server with application permissions
Attacker gains remote code execution capabilities
Attackers can execute arbitrary commands on your application server by exploiting publicly accessible Next.js routes. The CVSS 10.0 rating reflects both ease of exploitation and severity of impact: full server compromise requiring no authentication.
Affected Next.js versions
The vulnerability impacts:
Next.js 15.x (patch to 15.1.4 or later)
Next.js 16.x (patch to 16.0.2 or later)
Next.js 14.3.0-canary.77 and later canary releases (upgrade to latest stable 15.x)
Only applications using the App Router face risk. The Pages Router remains unaffected. If your application uses both routing approaches, vulnerable App Router endpoints still create exploitable attack surface.
Immediate actions for engineering teams
Test all Next.js deployments with Beagle Security: The platform validates whether your specific deployment configuration is vulnerable, accounting for custom middleware, API routes, and framework implementation variations that affect exploitability.
Apply patches immediately: Next.js released fixes across all affected branches. Update to the latest patch for your major version and retest with Beagle Security to confirm remediation.
Verify App Router usage: Review your
app/directory structure and routing configuration. If you’re exclusively using Pages Router, you’re not vulnerable. Mixed implementations still expose attack surface through App Router endpoints.Test patches in staging before production: Framework updates can introduce breaking changes in rendering behavior, error handling, and data fetching patterns. Run a pentest against staging after patching to validate both security fixes and application functionality.
Detection challenges across React ecosystems
While Next.js hosts show clearer external signatures for CVE-2025-55182, React Server Actions behave differently across build tools and custom implementations. Applications using Vite, Parcel, or custom RSC implementations may exhibit vulnerable patterns that don’t match standard Next.js detection signatures.
Production implementations often diverge from framework defaults through custom serialization logic, middleware chains, and rendering optimizations. These variations obscure external indicators and make certain exposed hosts significantly harder to identify through automated scanning.
Beagle Security continues expanding detection coverage as we validate exploitability patterns across different React build tools and framework configurations. Current detection prioritizes Next.js because reliable signatures exist for production deployments using standard App Router patterns.
Exploitation risk and active threats
CISA’s KEV listing confirms attackers are exploiting CVE-2025-55182 in production environments. Unpatched Next.js applications face:
Server compromise with full application permissions
Data exfiltration from databases, file systems, and connected services
Lateral movement to internal networks through compromised application servers
Ransomware deployment in environments with broad server access
Supply chain attacks if your application serves other systems or customers
The CVSS 10.0 rating means automated scanning tools already target this vulnerability at scale. Patch windows measured in weeks are inadequate for actively exploited critical vulnerabilities. Organizations need remediation timelines measured in hours or days, not sprint cycles.
Beyond immediate patching
CVE-2025-55182 represents a vulnerability class affecting server-side rendering frameworks, not an isolated Next.js bug. Expect similar issues in other frameworks handling serialization and server-side execution contexts.
Long-term security requires:
Runtime testing for all framework updates: Major and minor version updates can introduce new vulnerability classes through changed rendering behavior, updated dependencies, or modified security assumptions. Regular scanning validates that security properties hold across framework changes.
Review of RSC endpoint exposure: Audit which Server Components are accessible to unauthenticated users. Authentication and authorization checks should occur before component rendering, not after. Defense in depth means limiting exposed attack surface even when patches are current.
Monitoring for framework-level CVEs: Subscribe to Next.js security advisories, React security channels, and framework-specific vulnerability feeds. Framework vulnerabilities often affect large portions of your application surface area simultaneously, requiring coordinated response across multiple services.
Next steps
Test your Next.js applications with Beagle Security now.
The platform identifies vulnerable endpoints, validates exploitability, and provides evidence for prioritizing remediation. Patch all affected versions immediately as active exploitation is confirmed and automated attack tools are targeting this vulnerability at scale.
Related considerations: Review authentication requirements for all React Server Components, audit custom middleware processing RSC requests, and establish continuous security scanning for framework-level vulnerabilities in your CI/CD pipeline.
