Next.js RCE Vulnerability CVE-2025-55182: How to Fix It Now

A maximum-severity remote code execution vulnerability in Next.js is being actively exploited in the wild — and if you’re running any version of Next.js 15 or 16 with the App Router enabled, your server is at risk right now. Tracked as CVE-2025-55182 (nicknamed “React2Shell”), this flaw scores a perfect 10.0 CVSS and requires no authentication, no special permissions, and no user interaction to exploit. A single malicious HTTP POST request is all an attacker needs to gain full server control. Here’s what the nextjs cve 2025 vulnerability is, who it affects, what attackers are doing with it, and exactly how to patch your application before it’s too late.

What Is CVE-2025-55182 and Why It’s Critical

CVE-2025-55182 is an insecure deserialization vulnerability (CWE-502) in the React Server Components (RSC) Flight protocol. The flaw exists in how Next.js and React process HTTP requests sent to Server Function endpoints. The server unsafely deserializes payload data from incoming POST requests without properly validating the structure — allowing attacker-controlled content to influence server-side execution logic and trigger arbitrary JavaScript code with full server privileges.

The CVE details at a glance:

• CVE ID: CVE-2025-55182
• CVSS v3.1 Score: 10.0 (Critical — maximum possible)
• Attack Vector: Network, no authentication, no user interaction required
• Impact: Full confidentiality, integrity, and availability compromise
• CWE: CWE-502 (Deserialization of Untrusted Data)
• Related CVEs from the same advisory: CVE-2025-55184 (DoS, CVSS 7.5), CVE-2025-55183 (source code exposure, CVSS 5.3), CVE-2025-67779 (DoS, CVSS 7.5)

This is separate from the earlier CVE-2025-29927 (March 2025), which was a middleware authorization bypass with a CVSS of 9.1. CVE-2025-55182 is newer and more severe. For more security coverage, visit our Security category.

Which Versions Are Affected

The vulnerability affects all Next.js installations using the App Router (not Pages Router) combined with React Server Components. Affected versions include:

• Next.js 15.x: 15.0.0 through 15.5.x (all builds)
• Next.js 16.x: 16.0.0 through 16.0.6
• Next.js canary builds: 14.3.0-canary.77 onward
• React packages affected: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0 through 19.2.0

Other frameworks using React Server Components are also affected, including React Router (in RSC mode), Waku, RedwoodSDK, and Parcel RSC. Next.js 14 with Pages Router only is not affected.

To check your current Next.js version, run:

npx next --version

What Attackers Are Doing With This Vulnerability

Security researchers and incident response teams have confirmed active exploitation in the wild. The exploitation is near 100% reliable — a single crafted HTTP POST to a Server Function endpoint is enough. Observed attacks include:

• Credential harvesting: Attackers are extracting AWS IAM keys, SSH private keys, GitHub tokens, OpenAI API keys, Stripe keys, Kubernetes tokens, database connection strings, and environment variables from compromised servers.
• Cryptocurrency mining: XMRig (a Monero miner) is being deployed on compromised servers to use CPU resources for mining.
• Backdoor installation: Known malware families observed include Cobalt Strike, Sliver C2 framework, EtherRAT, Noodle RAT, SNOWLIGHT, VShell, and the KSwapDoor Linux backdoor.
• Lateral movement: Once inside, attackers pivot to internal infrastructure — Kubernetes clusters, CI/CD pipelines, and connected databases.

The attack surface is significant: Next.js is used by tens of thousands of production applications globally. According to the National Vulnerability Database (NVD), the vulnerability was disclosed in April 2025 and patches were released within days.

How to Fix CVE-2025-55182: Step-by-Step Patch Guide

Patching is straightforward: upgrade your Next.js and React packages to the fixed versions. Here are the complete steps:

Step 1: Update Next.js to the patched version

npm install next@latest
# or for yarn:
yarn upgrade next@latest
# or for pnpm:
pnpm update next@latest

Step 2: Update React packages

npm install [email protected] [email protected]

Step 3: Verify your installed versions

npx next --version
node -e "console.log(require('react/package.json').version)"

Step 4: Rotate any secrets that may have been exposed

If your application was running an affected version in production and was internet-accessible, treat all server-side secrets as potentially compromised. Rotate immediately:

• AWS IAM credentials (revoke and reissue)
• Database passwords and connection strings
• Third-party API keys (Stripe, OpenAI, Twilio, etc.)
• SSH keys and GitHub deploy keys
• JWT signing secrets and session tokens

Step 5: If you cannot patch immediately

As a temporary mitigation, configure your WAF or reverse proxy to block POST requests to Server Action endpoints from untrusted sources. This is not a full fix — patch as soon as possible. You can also disable Server Actions in next.config.js if your application does not use them:

// next.config.js
module.exports = {
  experimental: {
    serverActions: {
      enabled: false,
    },
  },
}

For more developer security guides and infrastructure best practices, see our Dev/IT Ops category.

Common Questions — Next.js CVE-2025-55182 Vulnerability

Q: Am I affected if I use Next.js Pages Router (not App Router)?

A: No. CVE-2025-55182 only affects applications using the Next.js App Router with React Server Components enabled. If your application exclusively uses the Pages Router with getServerSideProps, getStaticProps, or API routes, you are not vulnerable to this specific CVE.

Q: Can I detect if my server was already compromised?

A: Check your server logs for unusual POST requests to /_next/server/app/ or Server Action endpoints. Look for new processes running XMRig (crypto miner), unexpected outbound connections, new cron jobs, or unfamiliar user accounts. Scan environment variable files and check third-party dashboards for unauthorized API key usage. If in doubt, assume compromise and rotate all secrets.

Q: Is CVE-2025-55182 the same as CVE-2025-29927?

A: No, these are two separate vulnerabilities. CVE-2025-29927 (March 2025) was a middleware authorization bypass scoring CVSS 9.1 that allowed attackers to skip authentication middleware by manipulating the x-middleware-subrequest header. CVE-2025-55182 (April 2025) is a newer, more severe RCE with CVSS 10.0 affecting React Server Components deserialization.

Q: How quickly should I patch?

A: Immediately — treat this as an emergency. With a CVSS score of 10.0 and active exploitation confirmed in the wild, every hour an unpatched internet-facing Next.js App Router application is running is an hour of real risk. The patch process typically takes under 10 minutes. Schedule maintenance now and run the upgrade commands today.

Conclusion

CVE-2025-55182 is as serious as web vulnerabilities get: CVSS 10.0, no authentication required, active exploitation, and credential-stealing malware already in circulation. Three key takeaways:

• Patch immediately — run npm install next@latest [email protected] [email protected] today.
• Rotate all secrets — if your application was internet-facing on an affected version, assume credentials were harvested.
• Audit your infrastructure — check for signs of XMRig miners, backdoors, and unauthorized API usage across connected services.

Stay on top of emerging security threats with our Security category — we cover CVEs, patch advisories, and protective guides as they break.

Last Updated: April 13, 2026