How a 10.0 CVSS flaw in Next.js security vulnerabilities nearly broke the entire Next.js ecosystem

Next.js developers across the industry woke up to security vulnerabilities that went far beyond the typical 'patch and move on' mentality. These weren't the kind of problems you could dismiss or put off until next month. They were serious enough that people had to stop what they were doing, sit down, and really think about what was running on their production servers and what it meant for their business. Next.js powers basically everything now. Small startups trying to build the next big thing, Fortune 500 companies handling critical operations, tiny side projects built by individuals in their spare time, massive enterprise platforms processing billions of transactions, it's all built on this framework. When something goes wrong at that level, it's not just a few developers having a bad day. It's a systemic problem affecting millions of applications across the entire industry. November saw organisations worldwide scrambling to understand what had happened and figure out how to respond without exacerbating the situation.

React2Shell: Your Server Stops Being Yours

Let's be clear about what React2Shell actually is. It's officially catalogued as CVE-2025-55182, but the technical designation doesn't matter as much as what it means in real terms. It got a severity rating of 10.0, the absolute highest possible score. That's not exaggeration. It means attackers can take complete control of your servers without jumping through hoops or exploiting some edge case scenario. React Server Components changed how React works at a fundamental level. Instead of everything running in the browser, you can write components that run on the server side. It's genuinely efficient because the server handles the hard work and just sends the finished result to the client. But servers and clients have to talk to each other, and they do it through something called the Flight protocol. The protocol serialises data so it can be sent back and forth. When the server receives that data, it deserialises it back into objects that the application can use. Here's where it gets bad. The deserialization code doesn't actually check whether what it's reconstructing is legitimate or safe. An attacker sends specially crafted serialised objects in a normal HTTP request. When the server tries to deserialise them, it runs the embedded code directly on the server with full permissions. That's it. The attacker doesn't need your password or your authentication token, or anything else. They just send a request, and suddenly, they have complete access to your entire server.

If you're running the current Next.js with React Server Components, you're vulnerable. You didn't have to turn anything on or make any mistakes. You're just running the framework the way it's supposed to be run, and it's vulnerable. When researchers started looking into this, they found real attackers were already exploiting it. Not theoretical attacks, real people targeting real servers at real companies. Some were stealing AWS credentials to gain access to entire cloud environments. Others set up cryptocurrency miners and made money off your electricity bill. Some planted backdoors so they could stick around even after you patched things. About 44 per cent of exposed cloud deployments had active attackers poking around in them.

Patches Revealed Even Worse Problems

Vercel released patches for React2Shell and developers applied them, assuming they'd solved the problem. Then researchers found more vulnerabilities in the same code that had just been patched. It turned out the underlying issue wasn't in one place; it was systemic. CVE-2025-55184 lets attackers crash your servers instead of running code on them. They send requests designed to put servers into infinite loops. Your application just stops responding. You can't process transactions, real-time features die, and customers see timeouts. No authentication required; they can do this repeatedly and keep you offline indefinitely. CVE-2025-55183 lets attackers download your Server Functions code. They see your business logic, your security implementations, everything you built. Then CVE-2025-67779 happened; the patches for the denial-of-service vulnerability were incomplete. Organisations that thought they'd fixed everything discovered they needed to patch again, test again, and deploy again. At that point, developers were starting to wonder if any of this was actually making them more secure.

One Header Destroys Your Entire Security Model

Before all this React Server Components chaos, there was already CVE-2025-29927 affecting Next.js versions 11 through 15. That's a massive range of versions still running in production everywhere. Next.js middleware runs before your application processes requests, which makes it the perfect place for security checks. Most teams built their entire security around middleware validation because it makes sense architecturally. If middleware says something is okay, then it should be safe. That's reasonable thinking. Inside Next.js, there's an HTTP header called x-middleware-subrequest that the framework uses to prevent middleware from calling itself recursively. When the framework sees this header, it skips middleware entirely. Attackers realised they could just add this header to their requests. Authentication bypassed. Authorisation gone. Direct access to protected data. One header does it.

The header value is predictable based on middleware file paths. Developers use the same naming conventions across organizations. Once attackers figure out the pattern, they can generate the right header value. The same attack works everywhere because everyone builds things the same way.

Real Companies Actually Got Hurt

This wasn't theoretical. Real attackers exploited these vulnerabilities against real companies running real production systems. They stole AWS credentials and accessed entire cloud environments. They set up miners and made money while companies paid for the infrastructure costs. Companies didn't realise they'd been compromised until their cloud bills tripled. Others found persistent backdoors, forcing full incident response investigations. Regulated companies had to notify regulators. Public companies had to tell investors. The cleanup costs were enormous, and that's before counting what the attackers actually stole or damaged.

Figuring Out Which Version Protects You

Different Next.js versions got patched at different times, and not all patches fix all vulnerabilities. This created real complexity for organisations trying to figure out which version actually protected them.

For React2Shell: version 13 needed 13.5.9 or later, version 14 needed 14.2.25 or later, version 15 needed 15.2.3 or later, version 16 needed the latest stable release. The denial-of-service fixes (CVE-2025-55184) required 14.2.35 or later for 14.x and earlier versions. The middleware bypass (CVE-2025-29927) required 12.3.5 for version 12, 13.5.9 for 13, 14.2.25 for 14, and 15.2.3 for 15. Note that patch versions can vary by specific minor release, so check Vercel's official security advisory or run npx fix-react2shell-next to verify you're on the correct patch version for your specific branch.

Companies with multiple Next.js applications had to determine the right version for each one individually. There was no single fix that worked across the board. Teams spent days researching the correct versions before testing even started.

Protecting Yourself While You Patch

If you couldn't patch immediately, you had options. Your web server could reject requests with the dangerous X-Middleware-Subrequest header. NGINX could be configured to deny any request containing this header, stopping that attack vector while you prepare real patches. You could also layer your security. Instead of only checking authentication in middleware, check it in your route handlers too. If middleware gets bypassed, you still verify permission before showing protected data. Tools like Aikido, Snyk, and Dependabot could tell you what you're actually protected against, not just what versions you're running.

What This Means for Framework Security

These vulnerabilities showed real structural problems in how framework-level security works. When something breaks at the framework level, millions of applications break at once. There's no gradual rollout. Serialisation and deserialization code needs the same security thinking as authentication systems. Most developers don't think about it that way, but the risks are basically equivalent. Organisations learned they need deployment pipelines that can push critical security updates fast without destroying their testing and quality assurance. Monthly patch cycles don't cut it. Just knowing your dependency version doesn't mean you're secure; you need to understand how your framework is actually configured in production.

What Actually Matters Now

The Next.js vulnerabilities in December 2025 were genuinely bad. Attackers could run code on your servers, crash your applications, steal your source code, and bypass your security. Multiple patches were needed because the initial ones were incomplete. Every organisation running Next.js had to deal with this. For the most current and precise patch versions for your specific Next.js version, refer to the official Vercel security bulletins rather than relying on version numbers alone, as patches are released across multiple minor versions. If you're running Next.js in production, update to secure versions soon and test everything thoroughly. If you can't update yet, put protective measures in place and monitor for compromise. New vulnerabilities will keep appearing; that's just how software works. What matters is being able to respond quickly when they do. Keeping frameworks updated, layering security properly, monitoring constantly, and running regular security scans is just standard production work now.

Organisations that took this seriously and improved their processes will be ready when the next critical vulnerability appears. It will appear. That's certain. The difference is whether you handle it smoothly or end up scrambling when it hits.