On December 3rd, a critical vulnerability (CVE-2025-55182) affecting React Server Components (RSC) was disclosed by the React team. This vulnerability enables arbitrary code execution (ACE) on the server under certain conditions — making it one of the most severe issues ever identified in the React ecosystem. Because Next.js App Router relies heavily on React Server Components, the vulnerability has a downstream impact on Next.js applications, documented under a second identifier: CVE-2025-66478. ANSSI has confirmed the seriousness of the issue and published an alert for French organisations. If your application uses React Server Components, Next.js App Router, or any framework enabling server-side component rendering, you must update immediately. This is the only way to eliminate the vulnerability.
What Clever Cloud Has Verified Internally
Right after disclosure, our engineering teams ran internal checks: No Clever Cloud services rely on React Server Components or Next.js in ways vulnerable to CVE-2025-55182.
We updated internal dependencies when relevant. We validated that no developer machines or internal tools were using affected RSC versions. Our platform does not embed React, RSC, or Next.js; these frameworks are always under the control of customers within their applications.
What Clever Cloud Cannot Do
As a platform provider:
We do not inspect or analyse your code.
We do not scan the versions of React, RSC, or Next.js you deploy.
We do not automatically apply security patches to your application. This means we cannot determine whether your application is vulnerable. Only you can audit and update the dependencies in your software.
What You Must Do If Your Application Uses React or Next.js
1. Update React to a Patched Version
Install the fixed React versions published in the official advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components These eliminate CVE-2025-55182.
2. Update Next.js if You Use the App Router
For Next.js applications, install versions patched for CVE-2025-66478: https://nextjs.org/blog/CVE-2025-66478 This applies to all projects using Next.js App Router or React Server Components in Next.js hybrid pages blending server/client components
3. Rebuild and Redeploy Your Application
After upgrading:
- clear lockfiles/caches if needed,
- reinstall dependencies,
- rebuild locally or in CI,
- redeploy to Clever Cloud.
This ensures no vulnerable artefacts remain.
4. Rotate Sensitive Credentials if You Suspect Exposure
If a vulnerable deployment processed untrusted data, rotate environment secrets, database credentials, API keys and session secrets. This is a standard precaution when arbitrary code execution is possible.
5. Review and Apply ANSSI’s Recommendations
ANSSI has published a detailed alert regarding the vulnerability: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-014/ . We strongly encourage all organisations to follow their guidance.
Summary
If your application uses React Server Components or Next.js App Router, you must:
- upgrade React (CVE-2025-55182)
- upgrade Next.js (CVE-2025-66478)
- rebuild and redeploy
- take precautions if exposure may have occurred
Clever Cloud ensures the security of the platform, but the responsibility for application dependencies remains with each development team. We are sharing this information to help you take the right actions as quickly as possible. If you have questions about securing your deployments on Clever Cloud, we’re here to help.
Sources
- React advisory (CVE-2025-55182): https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next.js advisory (CVE-2025-66478): https://nextjs.org/blog/CVE-2025-66478
- ANSSI alert: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2025-ALE-014/