It's Friday, are you starting to slack off and prepare for the weekend? Hold on, just yesterday (December 3, 2025), React official and the Next.js team jointly disclosed a Critical-level security vulnerability. This is not just an ordinary bug, but a 'nuclear-level' vulnerability that allows unauthorized remote code execution (RCE). If your WebGIS project uses Next.js or React 19, please investigate promptly. This vulnerability is extremely dangerous and could lead to further data leakage risks.
Vulnerability Details
Vulnerability ID: CVE-2025-55182 (React) / CVE-2025-66478 (Next.js)
Affected Scope: As long as your project has React Server Components (RSC) enabled, even if you think you haven't written any backend logic, you could be affected.
Severity Level: CVSS 10.0 (maximum score) — This means attackers can execute arbitrary code on your Node.js server without logging in or performing complex operations, just by sending a carefully crafted HTTP request.
Affected Versions:
- React: 19.0.0 to 19.2.0
- Next.js: 15.x, 16.x, and versions after 14.3.0-canary.77
Potential Risks for WebGIS
With the 3D visualization of WebGIS and exponential growth in data volume, more and more GIS teams are adopting Next.js (App Router) to build high-performance geospatial information platforms, leveraging its SSR (Server-Side Rendering) advantages to optimize the first screen. Potential risks are as follows:
Server-Side Token Proxy
Many GIS developers use Next.js's Server Actions or Route Handlers to create a proxy layer to avoid exposing Tokens (such as Gaode, Tianditu, Cesium Ion, etc.). Attackers exploiting this vulnerability can directly bypass your proxy logic, not only stealing Tokens but also reading .env files on the server to obtain database passwords.
Server-Side PostGIS Queries
In modern architectures, we often directly connect to PostGIS databases in Server Components to query GeoJSON data, as shown in the following example:
// app/map/page.tsx (Server Component)
import prisma from '@/lib/db';
export default async function MapPage() {
// Directly query the database in the server component
const features = await prisma.places.findMany();
return <MapComponent data={features} />;
}The vulnerability principle involves React's deserialization of RSC Payload. Attackers can construct malicious Payloads to take over the server before the prisma query executes, directly 'dumping the database,' leading to the leakage of confidential surveying and mapping data. The spatial data stored in your PostgreSQL, whether confidential or not, can be arbitrarily downloaded and disseminated.
SSR for Large-Screen Visualization Systems
Nowadays, many GIS developers build based on Next.js to improve first-screen speed. Although large screens are mainly rendered on the client-side, as long as the project depends on packages like react-server-dom-webpack (included by default in Next.js App Router), the application is exposed to risks.
Solution
First, upgrade dependencies. If you are a Next.js user: upgrade Next.js to the officially released fixed version.
# npm
npm install next@latest react@latest react-dom@latest
# yarn
yarn add next@latest react@latest react-dom@latest
# pnpm
pnpm add next@latest react@latest react-dom@latestNext.js 15 users need to upgrade to 15.0.4+ (or the latest patch version). Next.js 14 Canary users: immediately roll back to v14 stable version or upgrade to v15 fixed version.
If you are a native React 19 user: ensure that packages like react, react-dom, react-server-dom-* are upgraded to 19.0.1+, 19.1.2+, or 19.2.1+.
After upgrading, rerun the build command and deploy to the production environment.
Conclusion
All GIS developers should not take chances, thinking 'my system is on the intranet' or 'no one knows my interface.' In the face of cybersecurity, every line of unpatched code is an open door to hackers. Especially in our industry, where data is special, the consequences of leakage could be more severe. Better safe than sorry.
However, when this vulnerability emerged yesterday, the editor also asked in groups, and the affected are a very small number, after all, more developers in China use Vue.