KB-2362 Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

pauline.delacruz — Fri, 05 Dec 2025 18:52:55 GMT

Current Revision posted to Appian Knowledge Base by pauline.delacruz on 12/5/2025 6:52:55 PM

Overview:

On 03-Dec-2025, two vulnerabilities were discovered related to the React Server Components that affect React 19 and the frameworks that use it, including Next.js. Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution.

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

While Appian is not vulnerable, if you have embedded Appian applications in other resources, those may be vulnerable. We encourage customers to check the vulnerability status of these systems.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

Tags: Security

KB-2362 Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

pauline.delacruz — Fri, 05 Dec 2025 16:53:20 GMT

Revision 7 posted to Appian Knowledge Base by pauline.delacruz on 12/5/2025 4:53:20 PM

Overview:

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

Tags: Security

[DRAFT SUPP-1865] Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

pauline.delacruz — Fri, 05 Dec 2025 16:51:59 GMT

Revision 6 posted to Appian Knowledge Base by pauline.delacruz on 12/5/2025 4:51:59 PM

Overview:

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

Tags: Security

[DRAFT SUPP-1865] Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

dan.endean — Fri, 05 Dec 2025 16:46:35 GMT

Revision 5 posted to Appian Knowledge Base by dan.endean on 12/5/2025 4:46:35 PM

Overview:

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

[NEW] KB-XXXX Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

dan.endean — Fri, 05 Dec 2025 16:45:16 GMT

Revision 4 posted to Appian Knowledge Base by dan.endean on 12/5/2025 4:45:16 PM

Overview:

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

[NEW] KB-XXXX Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

dan.endean — Fri, 05 Dec 2025 16:44:08 GMT

Revision 3 posted to Appian Knowledge Base by dan.endean on 12/5/2025 4:44:08 PM

Overview:

Affected Components:

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

[NEW] KB-XXXX Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

dan.endean — Fri, 05 Dec 2025 16:42:30 GMT

Revision 2 posted to Appian Knowledge Base by dan.endean on 12/5/2025 4:42:30 PM

Overview

Affected components

React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025

[NEW] KB-XXXX Information about the React Server Components, including Next.js (React2Shell, CVE-2025-55182 & CVE-2025-66478)

dan.endean — Fri, 05 Dec 2025 16:41:05 GMT

Revision 1 posted to Appian Knowledge Base by dan.endean on 12/5/2025 4:41:05 PM

Affected components: React Server components in React 19.x and Next.js 15.x/16.x with App Router

Appian has investigated these vulnerabilities and services, and determined that it is not impacted.

Additional Notes:

The following CVEs were released with additional information on the scope of the vulnerability:

CVE-2025-55182 - (A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0)
CVE-2025-66478 - (Next.js vulnerability, current rejected by NVD)

Supporting Documentation:

This article applies to all supported versions of Appian.

Last reviewed: Dec 5, 2025