AWS Updates - 2025-12-04

AWS Security Bulletins

CVE-2025-66478: RCE in React Server Components

• Link: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/
• Published: 2025-12-04

Bulletin ID: AWS-2025-030
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/12/03 20:00 PM PST

Description:

AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution on affected applications servers.

AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182.

Customers using managed AWS services are not affected, and no action is required. Customers running an affected version of React or Next.js in their own environments should update to the latest patched versions immediately:
- Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1
- Customers using Next.js 15-16 with App Router should update to a patched version