React and Next.js just shipped one of the most dangerous classes of web vulnerabilities: unauthenticated remote code execution against React Server Components (RSC) via the Flight protocol. This video breaks down CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) with a defender-first lens: what’s actually vulnerable, how exploitation works at a high level, what versions are affected, and the exact upgrade paths that close the door.
0:00 Intro from Francesco, npm ecosystem taking hits, Shai Hulud reference
0:25 Why this matters today: React Server Components and Next.js at the center of modern web stacks
0:37 scale: 36M framework downloads, ~700K RSC server-dom downloads, huge installation base
1:12 What makes it critical: unauthenticated RCE, one-request trigger
1:52 Severity: CVSS 10, why defenders should treat it like an incident
2:07 Attack flow overview: exploitation, exfiltration, lateral movement
2:34 Affected versions overview and where to check details
2:50 Scanner and samples: repo to validate vulnerable vs clean versions, guidance to lock and upgrade
3:02 Timeline: report Nov 29, confirmation, fix published, CVEs disclosed
3:24 “Freight Night” naming: Flight payload deserialization leads to RCE, persistence, further compromise
4:08 What to do first: prioritize externally exposed services, cloud impact callout
4:29 WAF mitigations: AWS WAF and Google Cloud Armor rules, observe vs block options
4:42 Deployment guidance: apply WAF rules safely, tune to avoid breaking traffic
5:01 Exposure mapping: which containers run the library and which are internet-facing
5:12 Phoenix angle: identify, prioritize, assign ownership, reduce noise
5:22 Action plan recap: verify exposure, run scanner, patch, prioritize external, apply WAF rules
5:58 Bigger picture: npm under sustained pressure, expect more ecosystem-level probing
6:37 Situation update as of Dec 4: no major escalation observed yet, patch before it trends
7:14 Close: fix now, reference links, goodbye
You’ll get:
• A clear threat summary for DevSecOps, ASPM, application security, and vulnerability management teams
• A practical view of the installation base and why default server-rendered RSC deployments are prime targets
• Affected React server-dom packages and Next.js release lines, plus what “patched” really means (deployed artifacts, not PRs)
• Defensive steps for triage: dependency checks, endpoint exposure, and what to hunt for in edge logs
Links and resources:
• Vulnerability page and patch guidance: https://phoenix.security/react-nextjs...
• GitHub repo with supporting material: https://github.com/Security-Phoenix-d...
• Shai Hulud overview (supply chain context and why ecosystems keep getting hit): https://phoenix.security/shai-hulud-s...
Keywords:
Информация по комментариям в разработке