{“lastseen”:”2025-12-04T12:05:14″,”description”:”On December 3, 2025, React maintainers disclosed a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. A working PoC was released publicly, and Wallarm immediately began observing widespread exploitation attempts across customer environments.\\n\\n## **What is CVE-2025-55182?**\\n\\nCVE-2025-55182 is an unauthenticated remote code execution (RCE) vulnerability, rated CVSS 10.0, and it is already being actively exploited in the wild. For more details, you can refer to this advisory. The issue affects React\u2019s server-side implementations such as react-server-dom-webpack and react-server-dom-parcel (versions 19.0.0, 19.1.x, 19.2.0).\\n\\nThe vulnerability stems from unsafe export resolution during deserialization of RSC action metadata, specifically returning moduleExports[metadata[2]] without property or prototype safety checks.\\n\\nThe publicly available PoC shows that attackers can craft malicious RSC action payloads leading directly to arbitrary code execution via vm.runInThisContext(…).\\n\\n## **What is** **CVE-2025-66478?**\\n\\nIn addition to the CVE-2025-55182 affecting React, the issue also affects Next.js deployments, tracked under CVE-2025-66478. According to public reporting, the same underlying flaw in RSC deserialization affects Next.js when using its RSC-enabled components or server-side rendering via React\u2019s server-dom packages.\\n\\nIn other words: CVE-2025-66478 is not a separate, new vulnerability, it is the same RSC deserialization bug as CVE-2025-55182, but manifesting through Next.js. Thus, Next.js applications using RSC should be considered vulnerable and must apply the same patches or mitigations.\\n\\n## **What is the** **Impact?**\\n\\nA successful exploitation allows attackers to:\\n\\n * Achieve **full remote code execution** on the server running the React application.\\n * **Read and write files** , enabling attackers to escalate their intrusion, persist access, deploy additional tooling, or stage further attacks.\\n * Potentially take complete control of affected services depending on environment privileges.\\n\\n\\n\\nBecause the exploit is unauthenticated, extremely simple to weaponize, and already circulating publicly, the risk is severe and immediate.\\n\\n## **How Does Wallarm Protect Against These Vulnerabilities?**\\n\\nWallarm already provides full out-of-the-box protection against exploitation attempts associated with CVE-2025-55182.\\n\\nSpecifically, Wallarm began detecting and blocking the earliest exploitation attempts shortly after disclosure. To strengthen coverage, Wallarm has also deployed additional detection rules designed to identify attempts to exploit the unsafe server-side execution pathways abused in this vulnerability. These rules focus on capturing behavior characteristic of attackers trying to:\\n\\n * Trigger server-side evaluation or sandbox escapes\\n * Execute arbitrary system commands\\n * Spawn new processes or invoke system utilities\\n * Read or write sensitive files on the server\\n * Leverage utility functions to escalate their actions or chain operations\\n\\n\\n\\nIn other words, the enhanced protections are tuned to detect exploitation patterns aligned with how attackers abuse the vulnerable RSC deserialization flow to reach sensitive server APIs and perform remote code execution.\\n\\nThese protections are automatically applied, and require no action from Wallarm customers.\\n\\nWithin the first two hours after the PoC was published, Wallarm observed over 4,100 exploitation attempts targeting customer infrastructures and the number continues to grow. The vast majority of these attacks were fully automated, originating from botnets and opportunistic scanners attempting to weaponize the vulnerability at scale. Most attempts reused a nearly identical RCE payload structure, closely aligned with the patterns demonstrated in the public PoC. An example of such an attack is shown in the figure below.\\n\\n\\n\\n### **Recommended Remediation**\\n\\n * Update React server-dom packages immediately to the patched versions: \\n19.0.1, 19.1.2, 19.2.1\\n * Review application code that relies on React Server Components or server actions to ensure no unnecessary exposure of sensitive server-side modules.\\n * If publicly facing vulnerable instances of React Server Components are identified in your infrastructure, initiate an investigation to assess potential compromise and determine whether any exploitation attempts succeeded prior to patching.\\n\\n\\n\\n## **Conclusion**\\n\\nModern applications operate in ecosystems where complex frameworks and numerous dependencies mean new vulnerabilities can surface at any time, making the risk of zero-day exposure a constant reality. This underscores the need for a multi-layer, defense-in-depth security strategy to limit the impact of emerging threats.\\n\\nWallarm supports this approach by:\\n\\n * **Proactively protecting** against web and API zero-days, often blocking exploitation attempts automatically\\n * **Identifying exposed or unprotected hosts** through API Attack Surface Management (AASM), reducing opportunities for attackers\\n * Ensuring the **Wallarm Research Team continuously monitors emerging threats and enhances product protections** to keep pace with attackers\u2019 evolving techniques.\\n\\n\\n\\nWith zero-day threats always possible, Wallarm helps organizations stay resilient and ahead of potential attacks.\\n\\nThe post Wallarm Halts Remote Code Execution Exploits: Defense for Vulnerable React Server Component Workflows appeared first on Wallarm.”,”published”:”2025-12-04T10:35:56″,”modified”:”2025-12-04T10:35:56″,”type”:”wallarmlab”,”title”:”Wallarm Halts Remote Code Execution Exploits: Defense for Vulnerable React Server Component Workflows”,”source”:””,”references”:””,”id”:”WALLARMLAB:698CFC2A1B34810734AAE646DEB1FD0E”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-55182″,”CVE-2025-66478″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/lab.wallarm.com\/wallarm-blocks-exploitation-remote-code-execution-vulnerability-react-server-components\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-04T12:05:14″,”description”:”On December 3, 2025, React maintainers disclosed a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. A working…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,7,11,5,105],"class_list":["post-28621","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability","tag-wallarmlab"],"yoast_head":"\n