10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9qr9-h5gf-34mp

GHSA-9qr9-h5gf-34mp: Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

<sup>1</sup> The affected React packages are:

react-server-dom-parcel
react-server-dom-turbopack
react-server-dom-webpack

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-9qr9-h5gf-34mp

GHSA-9qr9-h5gf-34mp:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next	npm	>= 14.3.0-canary.77, < 15.0.5	15.0.5
next	npm	>= 15.2.0-canary.0, < 15.2.6	15.2.6
next	npm	>= 15.3.0-canary.0, < 15.3.6	15.3.6
next	npm	>= 15.4.0-canary.0, < 15.4.8	15.4.8
next	npm	>= 16.0.0-canary.0, < 16.0.7	16.0.7
next	npm	>= 15.1.0-canary.0, < 15.1.9	15.1.9
next	npm	>= 15.5.0-canary.0, < 15.5.7	15.5.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a prototype pollution issue in the React Server Components (RSC) implementation within Next.js. The analysis of the patch commit reveals that the core of the vulnerability lies in the deserialization of the RSC stream. The requireModule function, present in both client and server-side code, was missing a hasOwnProperty check before accessing module properties, making it a clear sink for prototype pollution. The server-side reviveModel and initializeModelChunk functions, which are responsible for parsing the stream and reconstructing objects, were also heavily refactored, indicating they were part of the vulnerable workflow. The patch addresses the vulnerability by adding the hasOwnProperty check in requireModule and rewriting the deserialization logic in initializeModelChunk and related functions to be more secure.

Vulnerable functions

requireModule

packages/next/src/compiled/react-server-dom-turbopack/cjs/react-server-dom-turbopack-client.browser.development.js

The function was vulnerable to prototype pollution. It accessed properties from a metadata object without checking if they were own properties. This allowed an attacker to access and pollute the Object prototype by crafting a malicious payload with keys like '__proto__'. The patch added a `hasOwnProperty` check to prevent this.

requireModule

packages/next/src/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js

reviveModel

packages/next/src/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js

This function is part of the deserialization process and was vulnerable to prototype pollution. The patch modifies how it handles the `__proto__` property during object revival from a JSON payload, as part of a larger refactoring to make the deserialization process safe.

initializeModelChunk

packages/next/src/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.development.js

This function orchestrates the deserialization of the React Server Component payload. The entire function was refactored to fix a deserialization vulnerability that could lead to prototype pollution and RCE.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-9qr9-h5gf-34mp: Next.js is vulnerable to RCE in React flight protocol

GHSA-9qr9-h5gf-34mp:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-9qr9-h5gf-34mp: Next.js is vulnerable to RCE in React flight protocol

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

10

10

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI