CVE-2025–55182 | RSC | RCE
| Vulnerability | CVE-2025-55182 |
|---|---|
| Type | Unauthenticated Remote Code Execution (RCE) Vulnerability / Insecure Deserialization |
| Description | A critical vulnerability in the React Server Components (RSC) “Flight” protocol allows an attacker to send a specially crafted multipart HTTP request that manipulates how React deserializes Server Action payloads. Insufficient validation of Flight chunks allows attacker-controlled structures to influence internal deserialization logic, resulting in arbitrary code execution. Applications that process RSC Server Actions or Flight protocol payloads are affected, even when no custom Server Functions are defined. |
| Affected Systems | - react-server-dom-webpack versions 19.0, 19.1.0, 19.1.1, 19.2.0 - react-server-dom-parcel versions 19.0, 19.1.0, 19.1.1, 19.2.0 - react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1, 19.2.0 - Next.js (App Router + Server Actions), unpatched branches across 14.x–16.x - Any application processing Flight/RSC Server Action payloads (client-side–only React apps are not affected) |
| Attack Vector | - Protocol: HTTP/HTTPS POST requests - Authentication: None required (pre-authentication) - User Interaction: None required - Attack Complexity: Low - Target: Any endpoint that accepts and parses RSC Server Action or Flight protocol requests - Header Required: next-action, Next-Action, rsc-action-id (varies by framework; not universally required)- Payload Delivery: Malicious multipart/form-data Flight chunks designed to manipulate internal RSC deserialization |
| Exploit Mechanism | The exploit abuses how React processes Flight “chunks” during deserialization: 1. RSC uses Flight serialization for Server Action arguments. 2. The server receives multipart chunks with references (e.g., $1:...).3. Attacker crafts malicious chunk objects that manipulate internal prototype references and bypass validation. 4. React fails to properly validate the chunk structure before invoking internal logic. 5. Deserialization triggers unsafe resolution paths allowing access to constructors. 6. Attacker reaches the Function constructor through prototype chain traversal (e.g., $1:constructor:constructor).7. Arbitrary JavaScript executes (commonly via child_process).8. Exploitation occurs before action/module resolution and authentication checks. |
| The Impact of the Bug | Successful exploitation results in pre-authentication arbitrary code execution on affected backends. An attacker can execute OS commands with the privileges of the Node.js/React server runtime, enabling data theft, cloud metadata access, lateral movement, credential harvesting, file modification, cryptocurrency mining, and full service takeover. Public PoCs and automated scanners exist, and the vulnerability has been actively exploited in the wild, leading to its inclusion in the CISA KEV (5 December 2025). Multiple vendors report widespread opportunistic exploitation, though attribution remains preliminary. CVSS severity: Critical (approx. 9.8). |
| How to detect if you have a vulnerable application to this attack vector? | - Check if you use affected versions of react-server-dom-webpack or react-server-dom-vite.- Check if your application uses Next.js App Router with Server Actions. - Determine whether your server receives/handles RSC Flight POST requests. - Inspect logs for POST requests containing RSC-related headers ( next-action, rsc-action-id).- Identify whether the application parses multipart Flight data. - Monitor for unexpected Node.js child processes. - Review for suspicious temporary files in /tmp or .next/server.- Check for outbound calls to cloud metadata services or suspicious domains. |
| Mitigation Steps | Immediate Patching (Priority 1): - React: Upgrade to 19.0.1, 19.1.2, or 19.2.1. - Next.js: Upgrade to patched branches per official Next.js advisory (instead of manually installing arbitrary versions). - Related frameworks: Update to their latest security releases. WAF Protection: - Block suspicious multipart Flight payloads. - Block or inspect requests with next-action / rsc-action-id where applicable.- Use managed rulesets (AWS, Cloudflare, GCP) for serialization/unsafe deserialization protections. If Immediate Patching Not Possible: - Disable Server Actions / RSC endpoints temporarily. - Restrict RSC routes to internal or authenticated networks. - Enforce strict network segmentation. Post-Remediation: - Review logs for pre-patch exploitation attempts. - Rotate all secrets and API keys if compromise is suspected. - Check for persistence (systemd, cron, modified build artifacts). - Validate integrity of deployment pipelines and serverless bundles. |
| References | - https://nvd.nist.gov/vuln/detail/CVE-2025-55182 - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components - https://www.cve.org/CVERecord?id=CVE-2025-55182 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 - https://www.kaspersky.com/blog/react4shell-vulnerability-cve-2025-55182/54915/ - https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/ - https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ - https://www.facebook.com/security/advisories/cve-2025-55182 - https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/ |