Targeted Sectors

·         Financial Services

·         IT companies

·         Logistics

·         Retail

·         Universities

o   American University

o   Boston University

o   Brown University

o   California State University, Sacramento

o   Carnegie Mellon University (which issued a security bulletin)

o   Chapman University

o   Columbia University

o   Cornell University

o   Drexel University

o   Eastern Washington University

o   George Mason University

o   Harvard University

o   Illinois Wesleyan University

o   Indiana University, Bloomington

o   Johns Hopkins University

o   Lafayette College

·         Government organizations

o   Not specifically named

·         Cloud service providers are heavily impacted.

Targeted Countries

·         Global

APT Names

·         Earth Lamia

·         Jackpot Panda

o   The activity has infrastructure overlaps with an I-Soon contractor

Criminal Organization Names

·         None publicly attributed to this specific campaign yet

o   Current activity appears opportunistic and widespread scanning/exploitation.

BLUF

A critical, maximum-severity (CVSS 10.0) Remote Code Execution (RCE) vulnerability exists in React Server Components (RSC) due to unsafe deserialization of payloads sent to server function endpoints. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server simply by sending a specially crafted HTTP request, requiring no user interaction. Active exploitation in the wild has been reported since the public disclosure today, December 3, 2025. Immediate patching is essential.

Date of First Reported Activity

·         November 29, 2025.

Date of Last Reported Activity Update

·         December 12, 2025

CVEs

CVE-2025-55182

React Server Components packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack)

CVSS 3.1 score /Vector: CVSS:3.1

·         (10.0) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nessus Plugin ID

·         277105

Is this on the KEV List

·         Yes

What is the patch by date?

·         December 12, 2025

Patching/Mitigation Data

Immediate upgrade is required to mitigate the vulnerability.

CVE-2025-55182 (React):

·         Patched Versions: 19.0.1, 19.1.2, and 19.2.1.

Patch Release Date

·          December 3, 2025.

Link to Patch

·         hxxps://vercel.com/changelog/cve-2025-55182

Mitigation

·         React Server Components: Upgrade react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack to fixed versions 19.0.1, 19.1.2, or 19.2.1.

·         Next.js: Upgrade to patched versions like 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7

CVE-2025-55184

CVSS v3.1

·         (7.5) AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tenable ID

·         278531

Is this on the KEV list?

·         No

What is the patch by date?

•             Not applicable at this time

CVE-2025-67779

CVSS v3.1

•              (7.5) AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tenable ID

·         278532

Is this on the KEV list?

·         No

What is the patch by date?

•             Not applicable at this time

Software update information for

React Dev

·         hxxps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

NextJS org

·         hxxps://nextjs.org/blog/security

Delivery Method

·         Specially crafted HTTP requests sent to exposed Server Function endpoints (e.g., API routes). No email samples are relevant as this is a network-based attack.

IOCs

Malicious IP Addresses: Several IP addresses have been identified in active scanning and exploitation attempts.

·         206.237.3.150

o   Attributed to Earth Lamia threat group

·         45.77.33.136

o   Attributed to Jackpot Panda threat group

·         143.198.92.82

o   Attributed to Anonymization Network

·         183.6.80.214

o   Unattributed threat cluster

Unusual Network Traffic

·         Defenders should monitor for general anomalies indicative of RCE attempts

Unusual Network Traffic

·         Unusual POST requests or spikes in traffic directed at RSC (React Server Components) endpoints that handle "Flight" payloads.

·         Unexpected errors or logs related to deserialization or malformed payloads on React/Next.js servers.

·         New, unexpected outbound connections originating from application servers to untrusted or unknown external IP addresses.

·         The presence of specific HTTP headers used in exploitation attempts

·         Examples

o   Next-Action: x

o   X-Nextjs-Request-Id: b5dce965

Host-Based IoCs

·         Malware Payloads: Successful exploitation has led to the installation of various malware families.

·         Multi-stage "Meshagent" malware.

·         Sliver malware framework.

·         XMRig cryptominer (both UPX packed and standard versions).

·         Discovery of unfamiliar temporary files or modules created in the application's directory following suspicious requests.

Additional scanning activity has been observed from over 800 other IP addresses

System Activity

·         Execution of common attacker reconnaissance commands or other OS-level activity originating from the web application server process.

·         Attempts to harvest credentials from environment variables, filesystems, and cloud instance metadata

TTPs

·         T1078.004 Valid Accounts: Supply Chain Compromise

·         T1505.003 Server Software Component: Web Shell

·         T1059 Command and Scripting Interpreter

·         Exploitation of public-facing application

·         Abuse of trusted third-party relationships

Malware Names

·         No specific strains identified with this initial campaign; attackers are likely focused on establishing initial access and deploying generic backdoors or C2 agents.

Malware Samples/PoC

Usage

Install deps

·         pip install -r requirements.txt

·         Customize the payload in payload_template.json. The default uses a gadget chain leveraging child_process.exec via prototype pollution in the deserialization handler. Replace "command": "whoami" with your desired shell command.

·         Execute: python CVE-2025-55182.py -t target.com -payload payload_template.json

URL to POC

hxxps://github.com/callinston/CVE-2025-55182

Suggested rules/ potential hunts

Potential Suricata Rules

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2025-55182 React RCE Attempt (Unsafe Deserialization)"; flow:established,to_server; content:"RSC"; http_uri; fast_pattern; classtype:attempted-admin; reference:cve,CVE-2025-55182; sid:9000001; rev:1;) (This is a generic placeholder; specific patterns would be developed by security vendors.)

Potential Sentinel Rules

let lookback = 1h; CommonSecurityLog | where DeviceVendor == "Azure WAF" or DeviceVendor == "Cloud Armor" or DeviceVendor == "ModSecurity" | where DeviceAction contains "block" | where RequestUri has "RSC" or RequestUri has "ServerFunction" | where AdditionalExtensions contains "CVE-2025-55182"

// Detect RCE payload characteristics in web server logs

Potential Splunk Hunts

index=weblogs uri_path IN ("*/RSC*", "*ServerFunction*") (POST OR PUT) | where byte_count > 1000 | table _time, src_ip, dest_ip, uri_path, user_agent

·         Hunt for unusual child processes spawned by the web server process (e.g., cmd.exe, bash) shortly after a POST request to an RSC endpoint. 

References

Reddit

·         hxxps://www.reddit.com/r/nextjs/comments/1pd8c7d/security_advisory_for_cve202566478

·         htxxs://www.reddit.com/r/nextjs/comments/1pg5gft/my_nextjs_server_was_compromised_by_react/

Fastly

·         hxxps://www.fastly.com/blog/fastlys-proactive-protection-critical-react-rce-cve-2025-55182

·         hxxps://www.fastlystatus.com/incident/378084

Tenable

·         hxxps://www.tenable.com/cve-2025-55182

·         hxxps://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

CISA

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE Record

·         hxxps://www.cve.org/CVERecord?id=CVE-2025-55182

X com

·         hxxps://x.com/nextjs/status/1996258069639246082

Medium

·         hxxps://medium.com/@gm0/cve-2025-55182-cve-2025-66478-react-19-and-next-js-critical-unauthenticated-rce-vulnerabilities-357c8137e45c

Vercel

·         hxxps://vercel.com/changelog/cve-2025-55182

GitHub

·         hxxps://github.com/vercel/next.js/commit/6ef90ef49fd32171150b6f81d14708aa54cd07b2

·         hxxps://github.com/callinston/CVE-2025-55182

Wiz IO

·         hxxps://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

Horizon3

·         hxxps://horizon3.ai/attack-research/vulnerabilities/cve-2025-55182/

Hacker One

·         hxxps://www.hackerone.com/blog/cve-2025-55182-react-exploit

Datadog Security Labs

·         hxxps://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/

Picus Security

·         hxxps://www.picussecurity.com/resource/blog/react-flight-protocol-rce-vulnerability-cve-2025-55182-and-cve-2025-66478-explained

SOC Prime

·         hxxps://socprime.com/active-threats/cve-2025-55182-and-cve-2025-66478-analysis/

Akido Security

·         hxxps://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce

SOCRadar

·         hxxps://socradar.io/labs/app/cve-radar/cve-2025-55182

React Dev

hxxps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

NextJS org

hxxps://nextjs.org/blog/security-update-2025-12-11