Summary

A critical security vulnerability (CVE-2025-55182) has been identified in React Server Components, allowing unauthenticated remote code execution. This vulnerability affects multiple frameworks and bundlers, including Next.js, React Router, and others. Immediate action is required to mitigate active exploitation due to publicly available PoC.

Affected Systems and/or Applications

• React Versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
• Next.js Versions: 15 through 16
• Frameworks and Bundlers: Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS, and potentially others.

Technical Details

The vulnerability arises from a flaw in how React decodes payloads sent to React Server Function endpoints. CVE-2025-55182 is a critical vulnerability in React Server Components that allows for unauthenticated remote code execution (RCE). The #aw lies in the deserialization process of payloads sent to React Server Function endpoints. This vulnerability is particularly severe due to its high CVSS score of 10.0, indicating the potential for significant impact if exploited.

Exploiting this vulnerability is considered trivial, as it does not require authentication. An attacker can send a specially crafted HTTP request to a vulnerable endpoint to achieve RCE. The attack vector primarily involves sending malicious payloads to endpoints that utilize React Server Functions.

Mitigation Strategies

1. Immediate Upgrades:
   • Upgrade React to version 19.2.1 or later to mitigate the vulnerability.
   • For frameworks like Next.js, upgrade to the patched versions as specified in the announcements.
2. Web Application Firewall (WAF) Rules:
   • Implement WAF rules to detect and block exploitation attempts. For example, Google Cloud's Cloud Armor has released a specific rule to mitigate this vulnerability. Cloudflare also has deployed new rules across its network, with the default action set to Block.
3. Temporary Mitigations:
   • Hosting providers have applied temporary mitigations, but these should not be solely relied upon. Immediate patching is essential.
4. Monitoring and Detection:
   • Monitor network traffic for unusual patterns that may indicate exploitation attempts.
   • POST requests containing indicators like `vm#...`, `child_process#...`, `util#...`, `fs#...` can help identify exploitation attempts.
   • Use intrusion detection systems (IDS) to alert on suspicious activities related to this vulnerability.
5. Code Review and Hardening:
   • Conduct a thorough review of code that interfaces with React Server Components to ensure no additional vulnerabilities exist.
   • Harden server configurations to minimize the attack surface.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring. Organizations should prioritize these measures to safeguard their edge devices against potential threats.

References

• React Blog Announcement
• Next.js Announcement
• GitHub React Fix
• GitHub Next.js Fix
• Google Cloud Blog on CVE-2025-55182

‍

‍