Post
To support customer testing and validation, we’ve added a reverse-engineered proof of concept to Assetnote. Our research team also published an open-source test, which is available on our GitHub.
An advisory has revealed a critical, unauthenticated Remote Code Execution (RCE) vulnerability in Next.js, rooted in React Server Components, which requires immediate patching. Given the severity of this issue, in addition to developing a high-fidelity check across our ASM platform, Assetnote, our Security Research team also published an open-source command-line tool for detecting CVE-2025-55182 and CVE-2025-66478 in Next.js applications using React Server components.
Communicating the critical risk: Executive summary
Next. js is a powerful web development framework that simplifies the process of building fast, interactive applications. If a bad actor was about to exploit this RCE vulnerability, they could take full control of your app, access and exfiltrate data, or use their access as a way to pivot into other systems and conduct disruptive attacks.
Searchlight Cyber’s security research team constantly uncovers new vulnerabilities and feeds them directly into our platform, giving you early warnings on zero-days so you can mitigate them before attackers have the chance to exploit them.
About Assetnote
Searchlight Cyber’s ASM solution, Assetnote, provides industry-leading attack surface management and adversarial exposure validation solutions, helping organizations identify and remediate security vulnerabilities before they can be exploited. Customers receive security alerts and recommended mitigations simultaneously with any disclosures made to third-party vendors. Visit our attack surface management page to learn more about our platform and the research we do