Skip to main content
Book a Consultation
Contact Us

Critical React/Next.js RCE Vulnerabilities: What You Need to Know – Part 2

Follow-up after the initial advisory – December 3rd, 2025

Following USUA’s initial alert about the RCE vulnerabilities in React Server Components (CVE-2025-55182) and Next.js integration (CVE-2025-66478), all monitored projects that could be affected have now been retested. Additionally, detailed reports for each vulnerable project are available for review.

Here’s what USUA did next and how you can stay on top of it:

  • First, review your personalized report. It provides insights into which projects are at risk and which versions require immediate patching.
  • Next, treat any affected systems as potentially compromised. Remove old deployments, rotate secrets, and carefully review logs for any suspicious activity.
  • Then, rerun your security tools. Static analysis, CI/CD checks, and dependency scans should be performed again to ensure that no issues remain undetected.

Staying updated:

  • Use your project reports to track affected packages and versions in real time.
  • Moreover, follow official updates and technical advisories from trusted sources.
  • In addition, monitor further analyses and emerging recommendations as the investigation continues.

What happens next:

Just like with any major zero-day, the initial disclosure is only the beginning. Furthermore, USUA expects additional guidance and potential new vulnerable packages to be announced. If you’re running production apps on React or Next.js, update today rather than waiting. Tech leads should audit all repositories, and engineers should promptly inform their teams.

At USUA, we continue to live by the same principle:
“The fastest patch is the best patch.”