Advisory update

As of December 5th, exploitation attempts targeting CVE-2025-55182 by China-affiliated threat actors have been reported. Trusted sources have confirmed successful exploitation by the nation-state actors, followed by the deployment of malware on compromised systems.

As of the same date, Proof of Concept (PoC) code for exploiting CVE-2025-55182 is also publicly available. mnemonic and others have also observed increased scanning activity aimed at identifying vulnerable instances, as well as exploit attempts to execute code on affected servers. In addition to the successful compromises noted above, other observed attempts include efforts to install Bitcoin-mining software and additional malware.

Opportunistic attempts from less-skilled threat actors are expected to continue in the coming days and weeks. Exploit tools are publicly available, and only limited technical skill is required to use them. mnemonic assesses that exploitation of vulnerable instances is likely to become widespread in the near term.

Detections and vendor signatures

Various vendors have implemented and released rules for detection and prevention related to the vulnerability including:

• F5
  • F5 BIG-IP Advanced WAF / ASM, F5 WAF for NGINX, and F5 NGINX App Protect
    • Added React Server Components RCE, ID 200204048 and ID 200204050.
  • F5 Distributed Cloud WAF
    • Added "React Server Components RCE", ID 200204048 and 200204050.
• CheckPoint
  • CheckPoint CloudGuard WAF: Based on implemented blocking logic in place.
  • CheckPoint IPS protection: Detection available named "React Server Components Remote Code Execution (CVE-2025-55182)".
• Palo Alto
  • Has released signatures to relevant parts of their portfolio.
• Fortinet
  • Fortiweb: Multiple protections created.
  • FortiAppSec: Signature has been created for users of FortiAppSec's Known Attack protection module.
  • Lacework FortiCNAPP: Will detect affected packages through its vulnerability management component.
• Wiz
  • Detection of vulnerable instances available for users with ASM as described in this blog post, and can be found here.
• Sysdig
  • Updated relevant detection rule "Suspicious Command Executed by Web Server".

Note that some of these rules require manual configuration including enabling them in blocking mode. Customers looking for adding protective measures in terms of add-on licenses or additional solutions are encouraged to contact mnemonic for further assistance.

Recommendations

Affected environments are strongly advised to immediately upgrade to fixed versions of the vulnerable package(s).

------------------------------------------

Background

On December 3, 2025, a critical vulnerability in React Server Components (RSC) was disclosed. If exploited, it may lead to unauthenticated Remote Code Execution (RCE). CVE-2025-55182 is related to deserialisation of payloads in RSC, in which a maliciously crafted HTTP request can lead to unauthorised remote code execution of privileged JavaScript code on the server. It has a CVSS score of 10.0, with low attack complexity and high success rate.

Next.js, which relies on React, is also affected by the vulnerability. A separate vulnerability tracked as CVE-2025-66478 for Next.js has been marked as a duplicate of CVE-2025-55182.

Organisations who use Cloudflare WAF in front of their React or Next.js instances are reported to be actively protected. React reports that they are actively working with multiple hosting providers to apply temporary mitigations.

Threat Intelligence assessment

While there are currently no publicly known working PoC exploits for this vulnerability, the low attack complexity and prevalence of vulnerable systems indicate that a publicly verified exploit is just a matter of time. This hypothesis is further strengthened by the fact that Wiz developed an exploit within one day of the public announcement. At the time of writing, there are no indications that the vulnerability is being exploited in the wild, however, there exists some PoC code that is not genuine for the vulnerability.

Affected systems

The vulnerability resides in React Server Components (RSC) of the following packages and versions.

Upstream packages:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

Upstream Versions:

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

According to the vendor, if your app's React code does not use a server or does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

There are also several downstream packages affected. Among others, these include:

• next
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

In particular, it's worth noting that Next.js is vulnerable with default configuration. The following versions of Next.js are vulnerable:

• 15.x
• 16.x
• 14.3.0-canary.77 and later canary releases

Immediate patching is strongly advised for affected and exposed components.

Patched versions

The vulnerability is patched in the following versions of the upstream packages.

• 19.0.1
• 19.1.2
• 19.2.1

The following versions of Next.js fix the vulnerability.

• 15.0.5
• 15.1.9
• 15.2.6
• 15.3.6
• 15.4.8
• 15.5.7
• 16.0.7

For the remaining downstream packages, we recommend following each vendor's guidance and using React's blog as a secondary reference.

Recommendations

Affected environments are recommended to immediately upgrade to fixed versions of the vulnerable package(s).