KB-2362 Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

Overview:

On 03-Dec-2025, two vulnerabilities were discovered related to the React Server Components that affect React 19 and the frameworks that use it, including Next.js. Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution.

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

While Appian is not vulnerable, if you have embedded Appian applications in other resources, those may be vulnerable. We encourage customers to check the vulnerability status of these systems.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

• CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

• https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
• https://vercel.com/changelog/cve-2025-55182
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025