The Bug That Won't Die: 10 Years of the Same Mistake

This article examines a decade-long pattern of deserialization vulnerabilities spanning Java to React/Next.js ecosystems. Two critical CVEs (CVE-2025-55182 and CVE-2025-66478) affect Next.js applications through the Flight protocol deserialization flaw in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Public exploit code is now available on GitHub, enabling remote code execution that allows attackers to harvest credentials from environment variables, move laterally via cloud metadata endpoints, and establish persistence through scheduled tasks. The article warns that AI-assisted coding will compress exploitation timelines to minutes. Recommended mitigations include disabling Server Actions if unused, implementing WAF rules targeting Next-Action headers with malicious payloads, and replacing unsafe native serialization formats (pickle, ObjectInputStream) with data-only alternatives like JSON, Protocol Buffers, or FlatBuffers.

Explore a decade of deserialization vulnerabilities, from Java to React/Next.js CVEs, and learn how to harden apps and stay ahead with Recorded Future.

This article examines a decade-long pattern of deserialization vulnerabilities spanning Java to React/Next.js ecosystems. Two critical CVEs (CVE-2025-55182 and CVE-2025-66478) affect Next.js applications through the Flight protocol deserialization flaw in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Public exploit code is now available on GitHub, enabling remote code execution that allows attackers to harvest credentials from environment variables, move laterally via cloud metadata endpoints, and establish persistence through scheduled tasks. The article warns that AI-assisted coding will compress exploitation timelines to minutes. Recommended mitigations include disabling Server Actions if unused, implementing WAF rules targeting Next-Action headers with malicious payloads, and replacing unsafe native serialization formats (pickle, ObjectInputStream) with data-only alternatives like JSON, Protocol Buffers, or FlatBuffers. Explore a decade of deserialization vulnerabilities, from Java to React/Next.js CVEs, and learn how to harden apps and stay ahead with Recorded Future. CVE-2025-55182 Intelligence Card c/o Recorded Future There are now multiple publicly available exploit scripts (I forked one on GitHub here ) for the React and Next.js vulnerabilities (CVE-2025-55182 and CVE-2025-66478). The underlying issue is data serialization/deserialization, which evoked thoughts about a blog I wrote in 2016 , addressing the same issue (at the time, the topic was CVE-2015-4852 , a serialization flaw in Java objects that affected Oracle and Apache products). Timeline illustrating the deserialization vulnerability impacts of 40+ critical CVEs across 6 ecosystems, over the course of 10 years. 2 Risk Takeaways The exploit pattern repeats because serialization is a straightforward method for transferring data, and developers typically use what works. Coders use different languages and frameworks, yet the same class of vulnerability persists. The upstream opportunity here is for universities to aggressively drive security into all programming courses. Everyone is a coder now, and security domain expertise has never been more important. Every business function will include AI-assisted coders, supercharging productivity and efficiency. LLMs don’t need to stop for human input, but understanding internet plumbing, tools, platforms, and security implications is now crucial. The most valuable employees can use AI for 10x+ impact AND catch potential issues as humans become the AI-copilots. Technical Causation Serialization is seductive: It’s the easy path for passing complex objects across trust boundaries (client ↔ server, service ↔ service). Developers reach for it because it “just works” (until it catastrophically doesn’t). Framework abstraction hides the danger: Some percentage of Next.js developers using Server Actions are unaware that they’re invoking a custom serialization protocol. They’re calling a function. The risk is invisible until it’s exploited. The ecosystem never learns collectively: Java shops learned (painfully) about gadget chains and ObjectInputStream. However, that institutional knowledge didn’t necessarily transfer to Node.js/React developers building RSC implementations a decade later. The Threat The attack surface has expanded once again. In 2015, we were tracking exploit chatter on Chinese forums appearing weeks before CVEs. Now, there are double-digit public GitHub repositories with weaponized exploit code within days of disclosure. Agentic workflows will soon compress that window down to minutes. T he time-to-exploitation will amount to the time defenders spend reading about any new high-severity vulnerability. PoC exploit testing, c/o Recorded Future Defender Considerations for CVE-2025-55182 / CVE-2025-66478 Attackers differentiate vulnerable App Router targets from safe Pages Router sites by checking for window.__next_f vs __NEXT_DATA__. Your asset inventory should already know which flavor you’re running. The vulnerability lives in the Flight protocol deserialization. If you’re not using Server Actions, consider disabling them . If you are, the endpoint (Next-Action header targets) is where to focus WAF rules . Hunt for anomalous POST requests with Next-Action headers containing malicious multipart payloads targeting __proto__ or unusual serialized JSON structures. The exploit exfils via base64 in error digests . The core issue is in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Custom RSC implementations outside Next.js are equally exposed. RCE means immediate credential harvesting from environment variables, lateral movement via cloud metadata endpoints, and persistence via scheduled tasks or cron jobs. IR playbooks should assume full compromise. AI-generated serialization vulnerability audit For “Vibe Coders”: A Conversation with Claude Opus 4.5 Q: What’s a proper input validation methodology for deserializing data to...