Sprocket Security

Two newly disclosed vulnerabilities, CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), are developing quickly and are already prompting investigation across the security community. While details continue to evolve, Sprocket Security is sharing what we know today, so organizations can begin assessing exposure and preparing remediation paths.

Both vulnerabilities relate to client-side rendering behavior and the potential for server-side data exposure in specific framework configurations. Early reports indicate that misconfigurations and certain framework defaults may unintentionally leak sensitive data to the client. We also know that (proven via client testing) Remote Code Execution is possible! Although the two CVEs were initially closely related, CVE-2025-66478 has since been rejected as a duplicate of CVE-2025-55182. Currently a more reliable detection logic exists for vulnerable Next.js hosts, enabling us to start assessing exposure at scale.

Why These Vulnerabilities Matter

React and Next.js serve as the backbone of a massive portion of the modern web stack. Vulnerabilities affecting framework-level rendering or dependency behavior can:

Impact large numbers of organizations simultaneously
Expose sensitive data through unintended client-side leakage
Create easy-to-scan, easy-to-chain attack paths for opportunistic attackers
Widen the blast radius of misconfigurations, especially in CI/CD and ephemeral deployments

Early indicators suggest that these CVEs may represent a systemic class of risks, not isolated bugs.

What We Can Confirm Right Now

Sprocket Security has begun scanning at scale for CVE-2025-55182

Although the React and Next.js vulnerabilities are linked, vulnerable Next.js hosts currently have clearer, more dependable signatures of external detection. Because of this, our Attack Surface Management (ASM) engine has already rolled out scanning and evidence collection for the Next.js portion of the issue.

As of late last night, our research advanced our capability from a basic vulnerability check to a confirmed working exploit for CVE-2025-55182, significantly strengthening the accuracy and confidence of our detection.

CVE-2025-55182 is now listed in the CISA KEV Catalog

Reliable external detection for the non-Next.js variants are still maturing, but urgency has increased: CVE-2025-55182 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This confirms that exploitation has been observed in the wild and elevates the priority for organizations running affected frameworks.

We continue to track upstream changes, vendor updates, and public research to identify when safe, automated confirmation is possible. Detection remains challenging because React Server Actions behave differently across build tools and frameworks (i.e. Vite, Parcel. Etc.) and custom production implementations often diverge from standard React behavior. These variations can obscure external indicators and make certain exposed hosts significantly harder to identify.

As our research maps these edge cases and validates exploitability across ecosystems, we will expand coverage accordingly.

What You Should Do Today

Review your public-facing Next.js deployments

If your organization uses Next.js, prioritize reviewing which versions and configurations are exposed externally.

Review the official React advisory

Because these vulnerabilities affect more than just Next.js, we strongly recommend reviewing the official React advisory, which outlines required patches and mitigation steps across multiple frameworks and server action implementations.

Prepare engineering teams for rapid patch cycles

Given the pace of updates to both frameworks, we expect incremental patch releases, not one-and-done fixes.

“We’re seeing early signs that environments with customized rendering logic or legacy framework configurations may be disproportionately exposed. Our goal right now is to give customers clear, verifiable signal—not noise—so they can prioritize remediation with confidence.” — Nick Aures, Senior Penetration Tester, Sprocket Security

What Sprocket Security Customers Can Expect

Sprocket Security customers’ environments have already begun being tested! You will receive automatic visibility into any externally detectable exposure related to these CVEs through their platform dashboards. Findings will include supporting evidence, affected assets, and recommended next steps.

As detection matures, we will expand coverage and notify customers when new signatures or tests become available. If exploitation becomes more widespread or if CISA adds either CVE to the KEV catalog, we will adjust prioritization and issue immediate customer advisories.

What’s Next

Our team is actively:

Expanding coverage for CVE-2025-55182 as reliable detection emerges
Validating additional patterns and framework behaviors associated with both CVEs
Correlating exposure with misconfigurations observed across ASM environments
Monitoring for exploitation signals in the wild

We will publish a follow-up advisory and update our scanning logic as soon as new information becomes available.