Summary

A critical security vulnerability (CVE-2025-55182) has been identified in React Server Components, allowing unauthenticated remote code execution. This vulnerability affects multiple frameworks and bundlers, including Next.js, React Router, and others. Immediate action is required to mitigate active exploitation due to publicly available PoC.

Affected Systems and/or Applications

React

The vulnerability affects specific React Server Component packages for the following versions:

• React versions affected: (19.0.0, 19.1.0, 19.1.1, 19.2.0)
• React fixed versions: (19.0.1, 19.1.2, 19.2.1)

Affected React Packages

The vulnerability impacts the following packages:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

Next.js

Next.js is affected when using the App Router:

• Affected Versions: (15.x, 16.X, Experimental Canary builds starting with 14.3.0-canary.77)
• Next.js Fixed Versions: (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7)
• Special Guidance for Canary Users:
  • either downgrade to a stable 14.x release,
  • or downgrade to 14.3.0-canary.76, the last unaffected canary version.
• Guidance for 15.x and 16.x users:
  
  • All users on stable Next.js 15.x or 16.x must upgrade immediately to one of the patched versions above.

Other Frameworks & Bundlers Affected

Any tooling that integrates React Server Components may be impacted, including:

• React Router
• Waku
• Parcel RSC plugin
• Vite RSC plugin
• RedwoodJS
• Other ecosystem tools built on React Server Function endpoints

Technical Details

The vulnerability arises from a flaw in how React decodes payloads sent to React Server Function endpoints. CVE-2025-55182 is a critical vulnerability in React Server Components that allows for unauthenticated remote code execution (RCE). The flaw lies in the deserialization process of payloads sent to React Server Function endpoints. This vulnerability is particularly severe due to its high CVSS score of 10.0, indicating the potential for significant impact if exploited.

Exploiting this vulnerability is considered trivial, as it does not require authentication. An attacker can send a specially crafted HTTP request to a vulnerable endpoint to achieve RCE. The attack vector primarily involves sending malicious payloads to endpoints that utilize React Server Functions.

Mitigation Strategies

1. Immediate Upgrades
   • Upgrade React to version 19.2.1 or later to mitigate the vulnerability.
   • For frameworks like Next.js, upgrade to the patched versions as specified in the announcements.
2. Web Application Firewall (WAF) Rules
   
   • Multiple WAF vendors have released rules and signatures that detect and block exploitation attempts for CVE-2025-55182:
   • Cloudflare & Google Cloud Armor
     
     • Cloud Armor: Released targeted rule updates designed to block malicious payload patterns.
     • Cloudflare: Deployed network-wide signatures with default action set to Block to stop known exploitation techniques.

F5 Protections

F5 has released enhanced signatures across its product lines:

• BIG-IP Advanced WAF / ASM, F5 WAF for NGINX, and NGINX App Protect WAF:
• Signature: React Server Components RCE, ID 200204048
• Included in: ASM-AttackSignatures_20251204_021602.im or later

F5 Distributed Cloud WAF:

• Signature: React Server Components RCE, ID 200204048
• Deployed to all Regional Edges; ensure High Accuracy signatures are enabled in blocking mode.

Akamai App & API Protector

• As of December 3, 2025, Akamai deployed a Rapid Rule for App & API Protector offering full coverage:
  
  • 3000976 — React Remote Code Execution Attack Detected (CVE-2025-55182)

Imperva Cloud WAF

Imperva has proactively:

• Analyzed the vulnerability and mapped exploitation paths
• Created and validated virtual patching rules
• Automatically deployed protections for all Cloud WAF customers

On-prem customers should reference the latest Community Guide to manually apply the corresponding policy.

3. Temporary Mitigations:
   
   • Hosting providers have applied temporary mitigations, but these should not be solely relied upon. Immediate patching is essential.
4. Monitoring and Detection:
   • Monitor network traffic for unusual patterns that may indicate exploitation attempts.
   • POST requests containing indicators like `vm#...`, `child_process#...`, `util#...`, `fs#...` can help identify exploitation attempts.
   • Use intrusion detection systems (IDS) to alert on suspicious activities related to this vulnerability.
5. Code Review and Hardening:
   • Conduct a thorough review of code that interfaces with React Server Components to ensure no additional vulnerabilities exist.
   • Harden server configurations to minimize the attack surface.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is required to mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring. Organizations should prioritize these measures to safeguard their edge devices against potential threats.

References

• React Blog Announcement
• Next.js Announcement
• GitHub React Fix
• GitHub Next.js Fix
• Google Cloud Blog on CVE-2025-55182
• Attack Signatures | F5 Distributed Cloud Technical Knowledge
• Next.js is vulnerable to RCE in React flight protocol · CVE-2025-66478 · GitHub Advisory Database · GitHub

‍

‍

‍