Detections
Analytics

Next.js Framework React Server Components Remote Code Execution (CVE-2025-55182)

critical Nessus Plugin ID 277108

Language:

Synopsis

The Next.js Framework on the remote host is affected by a remote code execution vulnerability.

Description

The Next.js Framework on the remote host is affected by a remote code execution vulnerability:

 - A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.(CVE-2025-55182)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Next.js Framework version 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 or later.

See Also

http://www.nessus.org/u?c46ffecc

https://nextjs.org/blog/CVE-2025-66478

http://www.nessus.org/u?fa85a7ea

Plugin Details

Severity: Critical

ID: 277108

File Name: nextjs_framework_CVE-2025-66478.nasl

Version: 1.6

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 12/3/2025

Updated: 12/19/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-55182

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:vercel:next.js

Required KB Items: Host/nodejs/modules/enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/3/2025

Vulnerability Publication Date: 12/3/2025

CISA Known Exploited Vulnerability Due Dates: 12/12/2025

Exploitable With

Metasploit (Unauthenticated RCE in React and Next.js)

Reference Information

CVE: CVE-2025-55182

IAVA: 2025-A-0874, 2025-A-0929