React just scored a “perfect ten” vulnerability tracked under CVE-2025-55182. Remote code execution, without authentication, all you ever wanted. There’s also a Next.js counterpart under CVE-2025-66478, but eventually it got rejected as duplicate of the former.
Plutoisaplanet of TechSpot was awesome enough to come up with a JavaScript code snippet that you can use to check your sites for this vulnerability. All credits go to him.
(()=>{
if(!window?.next?.version) {return false}
let [ver, sub] = next.version.split('-');
let [mj, mn, pa] = ver.split('.').map(e=>Number(e));
let fx = {16:{0:7},15:{0:5,1:9,2:6,3:6,4:8,5:7}}; // Earliest fixed patch versions
return fx[mj]&&fx[mj][mn]>pa
? `${next.version}->${mj}.${mn}.${fx[mj][mn]}` // Vulnerable v15/16
: mj==14&&(mj>3&&sub||mj===3&&sub>='canary.77') ? next.version+'->15.5.7' // Vulnerable v14 canary
: false; // Safe
})()Just paste this into the F12 developer console and see. If it returns false, you should be fine theoretically. If it prints the “from -> to” version numbers, that means you should upgrade.
Use at your own risk though.
