A critical unauthenticated remote code execution vulnerability in React Server Components (CVE-2025-55182) allows attackers to execute arbitrary code on affected server-side applications and has been assigned a CVSS score of 10.0. The flaw impacts downstream projects including Next.js (tracked as CVE-2025-66478), public exploit code and a working PoC exist that can compromise default create-next-app instances, and widespread scanning was observed in the wild. #CVE-2025-55182 #Nextjs
Keypoints
- React Server Components libraries (react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack) in versions 19.0β19.2.0 are vulnerable to CVE-2025-55182 and have patched releases in 19.0.1, 19.1.2, and 19.2.1.
- Next.js instances that embed a vulnerable React component (Next.js 15.x, 16.x, and 14.3.0-canary.77+) are affected and Next.js is tracking the issue as CVE-2025-66478 with specific patched Next.js releases available (e.g., 15.0.5, 16.0.7).
- The underlying flaw is server-side prototype pollution in the React flight protocol that can be abused to call native functions (e.g., child_process.execSync) leading to remote code execution; the fix adds a property check in requireModule to prevent prototype-based access.
- Public PoCs were published within hours: an initial annotated/invalid PoC and a later working exploit by Moritz Sanft that demonstrates compromising a blank create-next-app instance and creating /tmp/pwned as root.
- Datadog confirmed exploitation is straightforward, provided an exploit exists, and observed scanning activity from over 80 IP addresses beginning December 3 as attackers probed for vulnerable applications.
- Remediation is to upgrade the affected React server DOM packages or Next.js to the listed patched versions and use tools like npm audit and Datadog Code Security / App and API Protection to detect and block exploitation at runtime.
MITRE Techniques
Indicators of Compromise
- [Domain ] attacker callback and DNS/OAST activity observed in payloads β sapo.shk0x.net, xwpoogfunv.zaza.eu.org
- [File path ] evidence of successful exploitation or attempted file access β /tmp/pwned (created by PoC), /etc/passwd (attempted read)
- [File name ] exploit payload files referenced in reproduction steps β payload.json, payload2.txt
- [Command ] native commands observed in PoC and scanning payloads β id, whoami (and spawnSync/execSync command invocations)
- [HTTP parameter ] crafted request parameters used in exploits and observed scans β requests with Next-Action header and multipart form fields containing payload JSON and β$1:__proto__:thenβ values