AWS Security Alert: Critical RCE Vulnerability in React & Next.js (CVE-2025-55182)

ByGanesh

Amazon Web Services (AWS) has released security bulletin AWS-2025-030 regarding a critical Remote Code Execution (RCE) vulnerability affecting specific versions of React and Next.js. The vulnerability, tracked as CVE-2025-55182 (and the duplicate CVE-2025-66478), lies within the React Server Flight protocol and could allow unauthorized attackers to execute code on application servers. If you are running self-managed applications using React or Next.js on AWS (e.g., on EC2, ECS, or EKS), you need to check your versions immediately.

Contents

What is the Vulnerability?

The flaw impacts how React Server Components handle requests. Specifically, it affects the React Server Flight protocol. By exploiting this vulnerability, an attacker could bypass security mechanisms and achieve Remote Code Execution (RCE) on the server hosting the application.

  • Primary CVE: CVE-2025-55182
  • Duplicate CVE: CVE-2025-66478
  • Severity: Critical

Am I Affected?

This vulnerability does not affect AWS managed services. If you use AWS managed services exclusively, no action is required.However, if you host your own applications, you are at risk if you use the following versions:

React

  • Version 19.0
  • Version 19.1
  • Version 19.2

Next.js (when using App Router)

  • Version 15.x
  • Version 16.x
  • Version 14.3.0-canary.77 and later canary releases

How to Remediate

To secure your applications, you must update your dependencies to the patched versions released by the maintainers.

1. Patch React

Update to one of the following patched releases immediately:

  • v19.0.1
  • v19.1.2
  • v19.2.1

2. Patch Next.js

  • If you are using Next.js 15 or 16 with the App Router, update to the latest patched version provided by Vercel/Next.js.

Interim Mitigation: AWS WAF

If you cannot patch immediately, or if you want to add defense-in-depth, AWS has updated their Web Application Firewall (WAF) rules to detect this exploit.

AWS Managed Rules: The default version (1.24) of the AWSManagedRulesKnownBadInputsRuleSet has been updated to include protection against this specific RCE. Ensure your WAF is using this version or newer.

Custom WAF Rule: AWS has also provided a custom WAF rule definition JSON in the bulletin that blocks requests containing specific patterns associated with this exploit (e.g., specific POST requests with next-action headers or malicious body content).

{
  "Name": "ReactJSRCE_CUSTOM",
  "Priority": 99,
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "RegexMatchStatement": {
            "RegexString": "POST",
            "FieldToMatch": {
              "Method": {}
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "NONE"
              }
            ]
          }
        },
        {
          "RegexMatchStatement": {
            "RegexString": "(?i)(?:next-action|rsc-action-id)",
            "FieldToMatch": {
              "Headers": {
                "MatchPattern": {
                  "All": {}
                },
                "MatchScope": "KEY",
                "OversizeHandling": "CONTINUE"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "NONE"
              }
            ]
          }
        },
        {
          "RegexMatchStatement": {
            "RegexString": "(?i)\"status\"\\s*:\\s*\"resolved_model\"",
            "FieldToMatch": {
              "Body": {
                "OversizeHandling": "CONTINUE"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "URL_DECODE_UNI"
              },
              {
                "Priority": 1,
                "Type": "JS_DECODE"
              },
              {
                "Priority": 2,
                "Type": "UTF8_TO_UNICODE"
              }
            ]
          }
        },
        {
          "RegexMatchStatement": {
            "RegexString": "\\$\\@",
            "FieldToMatch": {
              "Body": {
                "OversizeHandling": "CONTINUE"
              }
            },
            "TextTransformations": [
              {
                "Priority": 0,
                "Type": "URL_DECODE_UNI"
              },
              {
                "Priority": 1,
                "Type": "JS_DECODE"
              },
              {
                "Priority": 2,
                "Type": "UTF8_TO_UNICODE"
              }
            ]
          }
        }
      ]
    }
  },
  "Action": {
    "Block": {}
  },
  "RuleLabels": [
    {
      "Name": "ReactJSRCE_Custom"
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "ReactJS_Custom"
  }
}

You can verify the full custom rule syntax in the official AWS-2025-030 Bulletin.

Summary Checklist

  1. Audit your environment for React 19.x and Next.js 15.x/16.x.
  2. Update affected packages to the patched versions listed above.
  3. Verify your AWS WAF configuration is using the latest Managed Rules.
  4. Deploy the custom WAF rule if patching is delayed.

For more details, always refer to the official AWS Security Bulletin.

Disclaimer: This post is for informational purposes. Always verify security information against official vendor documentation.