The Bug That Won't Die: 10 Years of the Same Mistake

Recorded Future reports critical deserialization vulnerabilities in React/Next.js (CVE-2025-55182 and CVE-2025-66478) tied to the Flight protocol/Server Actions. Multiple public exploit repositories appeared rapidly on GitHub; the exploitation leads to RCE with consequences including credential harvesting, cloud metadata access, lateral movement, and persistence. The note highlights that serialization-based exploits recur across ecosystems, warns that agentic tooling will compress time-to-exploit, and provides defensive guidance (disable Server Actions if unused, deploy WAF rules targeting Next-Action headers, hunt for anomalous POSTs with multipart payloads and base64 exfiltration in error digests, and prefer data-only serialization formats with schema validation).