Executive Summary

A critical security vulnerability, CVE-2025-55182, has been identified in React Server Components (RSC), a core technology underpinning modern web frameworks such as Next.js, React Router, Waku, Parcel RSC plugin, and Vite RSC plugin. This vulnerability, rated CVSS 10.0 (Critical), enables unauthenticated remote code execution (RCE) on affected servers by exploiting unsafe deserialization in the RSC protocol. The flaw allows attackers to execute arbitrary code, access sensitive files, and potentially gain persistent access to compromised systems. Given the widespread adoption of these frameworks and the public availability of proof-of-concept (PoC) exploit code, the risk of mass exploitation is extremely high. Immediate patching and mitigation are imperative for all organizations utilizing affected versions of React Server Components or dependent frameworks.

Technical Information

CVE-2025-55182 is a deserialization vulnerability in the implementation of React Server Components. The vulnerability is present in the following packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack prior to version 19.2.1. The flaw also impacts frameworks and bundlers that integrate these packages, including Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

The root cause lies in the unsafe handling of serialized payloads sent to React Server Function endpoints. Specifically, the vulnerable requireModule() function accesses module exports using bracket notation without verifying property ownership via hasOwnProperty. This oversight enables prototype pollution, allowing attackers to access and invoke dangerous built-in Node.js modules such as vm, child_process, and fs.

An attacker can exploit this by sending a specially crafted HTTP request to any exposed Server Function endpoint. The payload can reference internal Node.js modules and invoke methods with arbitrary arguments. For example, by referencing child_process#execSync and passing a shell command, the attacker can execute system commands on the server. Similarly, referencing fs#readFileSync allows reading sensitive files, and vm#runInThisContext enables execution of arbitrary JavaScript code.

The attack vector is trivial: the attacker does not require authentication or prior access. The only prerequisite is that the target server exposes a vulnerable RSC endpoint. The exploit can be delivered via a POST request containing a malicious JSON payload, such as:

json { "id": "child_process#execSync", "bound": ["whoami"] }

This would execute the whoami command on the server and return the result to the attacker. Other payloads can read files, write files, or establish persistence by modifying files like ~/.ssh/authorized_keys.

A public proof-of-concept is available on GitHub (ejpir/CVE-2025-55182-poc), demonstrating direct RCE, file system access, and persistence techniques. The exploit leverages the RSC protocol's deserialization logic to bypass intended security boundaries and gain full control over the server process.

The vulnerability affects all environments where the vulnerable packages are deployed, including production, staging, and development systems. Cloud service providers, SaaS platforms, e-commerce sites, and social media applications built on React and its ecosystem are particularly at risk. The attack surface is global, with significant exposure in the US, EU, and APAC regions due to the popularity of React-based technologies.

Indicators of compromise include unusual POST requests to RSC endpoints containing $ACTION_REF_0 or similar payloads, unexpected execution of Node.js modules such as vm, child_process, or fs, creation or modification of files like ~/.ssh/authorized_keys or files in /tmp/, and outbound connections or processes spawned by the Node.js server process.

The vulnerability maps to several MITRE ATT&CK techniques, including T1190: Exploit Public-Facing Application, T1059: Command and Scripting Interpreter, T1078: Valid Accounts (if persistence is achieved via SSH keys), and T1105: Ingress Tool Transfer (if additional payloads are dropped).

Exploitation in the Wild

As of the publication of this advisory, there are no confirmed reports of active exploitation of CVE-2025-55182 in the wild, according to sources such as Akamai and Tenable. However, the situation is rapidly evolving. Security researchers and vendors, including watchTowr, Rapid7, and Wiz, have warned that attackers are actively reverse engineering patches and scanning for vulnerable instances. The availability of public PoC code and the critical nature of the vulnerability make exploitation imminent. The exploit is trivial to execute, with a near 100% success rate in controlled environments. Mass exploitation is expected if organizations delay patching.

APT Groups using this vulnerability

At this time, no specific Advanced Persistent Threat (APT) groups or organized cybercriminal campaigns have been publicly attributed to the exploitation of CVE-2025-55182. However, the high value of targets using React Server Components and the ease of exploitation make this vulnerability attractive to both state-sponsored actors and financially motivated cybercriminals. The attack surface includes cloud service providers, SaaS platforms, e-commerce, and social media organizations, all of which are frequent targets for APT activity. Given historical patterns, it is likely that APT groups will incorporate this exploit into their toolkits if widespread patching is not achieved promptly.

Affected Product Versions

The following products and versions are confirmed to be affected by CVE-2025-55182:

The vulnerable packages are react-server-dom-webpack versions prior to 19.2.1, react-server-dom-parcel versions prior to 19.2.1, and react-server-dom-turbopack versions prior to 19.2.1. Frameworks and bundlers impacted include Next.js versions from 14.3.0-canary.77 and later canary releases, as well as all 15.x and 16.x releases (see the Next.js advisory). Other affected frameworks and plugins are React Router (with RSC support), Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk, and any custom or downstream framework using the above vulnerable RSC packages.

Patched versions are react-server-dom-webpack 19.2.1 and later, react-server-dom-parcel 19.2.1 and later, react-server-dom-turbopack 19.2.1 and later, and Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 and later. For other frameworks, consult the respective maintainers for patched releases.

Workaround and Mitigation

The only effective mitigation is to upgrade all affected packages and frameworks to the latest patched versions. For react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, upgrade to version 19.2.1 or later using the following commands:

bash npm install react-server-dom-webpack@latest npm install react-server-dom-parcel@latest npm install react-server-dom-turbopack@latest

For Next.js, upgrade to the latest patched version in your release line as detailed in the Next.js security advisory. For other frameworks such as React Router and Waku, follow vendor-specific upgrade instructions.

Some hosting providers have implemented temporary mitigations, such as blocking certain payloads or endpoints, but these are not sufficient to prevent exploitation. Immediate upgrade is mandatory. Organizations should also monitor server logs for indicators of compromise, including suspicious POST requests to RSC endpoints, unexpected module execution, and unauthorized file modifications.

As a defense-in-depth measure, restrict network access to RSC endpoints where possible, implement strict input validation, and monitor for anomalous activity on all systems running affected packages.

References

• NVD CVE-2025-55182

• React Official Blog

• GitHub PoC

• Tenable FAQ

• Akamai Analysis

• The Register: Exploitation is imminent

• Next.js Security Advisory

• OX Security Blog

• Reddit Discussion

• Vercel Changelog

• Aikido Security Blog

Rescana is here for you

At Rescana, we understand the critical importance of rapid vulnerability response and robust third-party risk management. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate risks across their digital supply chain, ensuring that vulnerabilities like CVE-2025-55182 are identified and addressed before they can be exploited. Our team of cybersecurity experts is dedicated to supporting your organization through every stage of the vulnerability management lifecycle. If you have any questions about this advisory or require assistance with incident response, please contact us at ops@rescana.com.