Je browser is verouderd en geeft deze website niet correct weer. Download een moderne browser en ervaar het internet beter, sneller en veiliger!

(UPDATE) Critical Vulnerability in React and Next.js

Security alert (foto: Elchinator, Pixabay)

On December 3rd, Z-CERT warned all affiliated healthcare organizations about a critical vulnerability in React. We urge all healthcare organizations using this software to immediately follow the advice below.

Update December 5th, 2025

Z-CERT has issued an Operational Alert regarding the critical vulnerability in React and Next.js. We reiterate our strong advice to perform an upgrade immediately.

React is a development library widely used in healthcare for building user interfaces of web applications, such as web forms. It is also often part of larger development frameworks, such as Next.js.

What should you do?

The severe vulnerability in Next.js is identified by CVE-2025-66478. The vulnerability with the identifier CVE-2025-558182 affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0.

If your organization uses these packages, we strongly advise you to upgrade immediately. The vulnerability has been resolved in versions 19.0.1, 19.1.2, and 19.2.1.

Your application is not vulnerable to this issue if:

  • The React code of your application does not use a server.
  • Your application does not use a framework, bundler, or bundler plugin that supports React Server Components.

Why is this a risk?

To use a web application, data is retrieved from a server connected to the internet. The critical vulnerability in React can be exploited to gain access to servers running this development software.

Attackers could exploit this vulnerability to execute malicious JavaScript code on the affected server. As a result, an attacker may be able to view all data on the server or gain control over the server where the vulnerable software is running.

Photo: Elchinator, Pixabay