React2Shell / RSC Deserialization Attacks

Targeted Sectors

·         Potentially any organization using vulnerable versions of React, Next.js, or related frameworks (e.g., Vercel, Vite RSC, Parcel RSC) for public-facing web applications.

·         Cloud service providers are heavily impacted.

Targeted Countries

·         Global

APT Names

·         None known at this time

Criminal Organization Names

·         None publicly attributed to this specific campaign yet

o   Current activity appears opportunistic and widespread scanning/exploitation.

BLUF

A critical, maximum-severity (CVSS 10.0) Remote Code Execution (RCE) vulnerability exists in React Server Components (RSC) due to unsafe deserialization of payloads sent to server function endpoints. This flaw allows unauthenticated remote attackers to execute arbitrary code on the server simply by sending a specially crafted HTTP request, requiring no user interaction. Active exploitation in the wild has been reported since the public disclosure today, December 3, 2025. Immediate patching is essential.

Date of First Reported Activity

·         November 29, 2025.

Date of Last Reported Activity Update

·         December 3, 2025

CVEs

CVE-2025-55182

React Server Components packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack)

CVSS 3.1 score /Vector: CVSS:3.1

·         (10.0) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nessus Plugin ID

·         277105

Is this on the KEV List

·         Yes

What is the patch by date?

·         December 12, 2025

Patching/Mitigation Data

Immediate upgrade is required to mitigate the vulnerability.

CVE-2025-55182 (React):

·         Patched Versions: 19.0.1, 19.1.2, and 19.2.1.

Patch Release Date

·          December 3, 2025.

Link to Patch

·         hxxps://vercel.com/changelog/cve-2025-55182

CVE-2025-66478

Downstream impact on Next.js framework

CVSS:3.1

·         (10.0) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Nessus ID

·         277108

Is this on the KEV List

•             No

What is the patch by date?

•             Not applicable at this time

Link to patch

·         hxxps://github.com/vercel/next.js/commit/6ef90ef49fd32171150b6f81d14708aa54cd07b2

Delivery Method

·         Specially crafted HTTP requests sent to exposed Server Function endpoints (e.g., API routes). No email samples are relevant as this is a network-based attack.

IOCs

·         Currently, IOCs are primarily related to general scanning activity directed at typical Next.js/RSC endpoints. Specific malicious IPs are likely dynamic and varied.

TTPs

·         TA0001: Initial Access (via CVE-2025-55182/CVE-2025-66478 exploitation of web-facing applications)

·         T1190: Exploit Public-Facing Application

·         TA0002: Execution (T1059.002: Command and Scripting Interpreter: JavaScript/Jscript execution on the server via unsafe deserialization)

Malware Names

·         No specific strains identified with this initial campaign; attackers are likely focused on establishing initial access and deploying generic backdoors or C2 agents.

Malware Samples/PoC

Usage

Install deps

·         pip install -r requirements.txt

·         Customize the payload in payload_template.json. The default uses a gadget chain leveraging child_process.exec via prototype pollution in the deserialization handler. Replace "command": "whoami" with your desired shell command.

·         Execute: python CVE-2025-55182.py -t target.com -payload payload_template.json

URL to POC

hxxps://github.com/callinston/CVE-2025-55182

Suggested rules/ potential hunts

Potential Suricata Rules

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2025-55182 React RCE Attempt (Unsafe Deserialization)"; flow:established,to_server; content:"RSC"; http_uri; fast_pattern; classtype:attempted-admin; reference:cve,CVE-2025-55182; sid:9000001; rev:1;) (This is a generic placeholder; specific patterns would be developed by security vendors.)

Potential Sentinel Rules

let lookback = 1h; CommonSecurityLog | where DeviceVendor == "Azure WAF" or DeviceVendor == "Cloud Armor" or DeviceVendor == "ModSecurity" | where DeviceAction contains "block" | where RequestUri has "RSC" or RequestUri has "ServerFunction" | where AdditionalExtensions contains "CVE-2025-55182"

// Detect RCE payload characteristics in web server logs

Potential Splunk Hunts

index=weblogs uri_path IN ("*/RSC*", "*ServerFunction*") (POST OR PUT) | where byte_count > 1000 | table _time, src_ip, dest_ip, uri_path, user_agent

·         Hunt for unusual child processes spawned by the web server process (e.g., cmd.exe, bash) shortly after a POST request to an RSC endpoint. 

References

Reddit

·         hxxps://www.reddit.com/r/nextjs/comments/1pd8c7d/security_advisory_for_cve202566478

Fastly

·         hxxps://www.fastly.com/blog/fastlys-proactive-protection-critical-react-rce-cve-2025-55182

·         hxxps://www.fastlystatus.com/incident/378084

Tenable

·         hxxps://www.tenable.com/cve-2025-55182

·         hxxps://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

CISA

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE Record

·         hxxps://www.cve.org/CVERecord?id=CVE-2025-55182

X com

·         hxxps://x.com/nextjs/status/1996258069639246082

Medium

·         hxxps://medium.com/@gm0/cve-2025-55182-cve-2025-66478-react-19-and-next-js-critical-unauthenticated-rce-vulnerabilities-357c8137e45c

Vercel

·         hxxps://vercel.com/changelog/cve-2025-55182

GitHub

·         hxxps://github.com/vercel/next.js/commit/6ef90ef49fd32171150b6f81d14708aa54cd07b2

·         hxxps://github.com/callinston/CVE-2025-55182