On December 3, 2025, React maintainers disclosed a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. A working PoC was released publicly, and Wallarm immediately began observing widespread exploitation attempts across customer environments.

What is CVE-2025-55182?

CVE-2025-55182 is an unauthenticated remote code execution (RCE) vulnerability, rated CVSS 10.0, and it is already being actively exploited in the wild. For more details, you can refer to this advisory. The issue affects React’s server-side implementations such as react-server-dom-webpack and react-server-dom-parcel (versions 19.0.0, 19.1.x, 19.2.0).

The vulnerability stems from unsafe export resolution during deserialization of RSC action metadata, specifically returning moduleExports[metadata[2]] without property or prototype safety checks.

The publicly available PoC shows that attackers can craft malicious RSC action payloads leading directly to arbitrary code execution via vm.runInThisContext(...).

What is CVE-2025-66478?

In addition to the CVE-2025-55182 affecting React, the issue also affects Next.js deployments, tracked under CVE-2025-66478. According to public reporting, the same underlying flaw in RSC deserialization affects Next.js when using its RSC-enabled components or server-side rendering via React’s server-dom packages.

In other words: CVE-2025-66478 is not a separate, new vulnerability, it is the same RSC deserialization bug as CVE-2025-55182, but manifesting through Next.js. Thus, Next.js applications using RSC should be considered vulnerable and must apply the same patches or mitigations.

What is the Impact?

A successful exploitation allows attackers to:

• Achieve full remote code execution on the server running the React application.
• Read and write files, enabling attackers to escalate their intrusion, persist access, deploy additional tooling, or stage further attacks.
• Potentially take complete control of affected services depending on environment privileges.

Because the exploit is unauthenticated, extremely simple to weaponize, and already circulating publicly, the risk is severe and immediate.

How Does Wallarm Protect Against These Vulnerabilities?

Wallarm already provides full out-of-the-box protection against exploitation attempts associated with CVE-2025-55182.

Specifically, Wallarm began detecting and blocking the earliest exploitation attempts shortly after disclosure.  To strengthen coverage, Wallarm has also deployed additional detection rules designed to identify attempts to exploit the unsafe server-side execution pathways abused in this vulnerability. These rules focus on capturing behavior characteristic of attackers trying to:

• Trigger server-side evaluation or sandbox escapes
• Execute arbitrary system commands
• Spawn new processes or invoke system utilities
• Read or write sensitive files on the server
• Leverage utility functions to escalate their actions or chain operations

In other words, the enhanced protections are tuned to detect exploitation patterns aligned with how attackers abuse the vulnerable RSC deserialization flow to reach sensitive server APIs and perform remote code execution.

These protections are automatically applied, and require no action from Wallarm customers.

Within the first two hours after the PoC was published, Wallarm observed over 4,100 exploitation attempts targeting customer infrastructures and the number continues to grow. The vast majority of these attacks were fully automated, originating from botnets and opportunistic scanners attempting to weaponize the vulnerability at scale. Most attempts reused a nearly identical RCE payload structure, closely aligned with the patterns demonstrated in the public PoC. An example of such an attack is shown in the figure below.

Recommended Remediation

• Update React server-dom packages immediately to the patched versions:
  19.0.1, 19.1.2, 19.2.1
• Review application code that relies on React Server Components or server actions to ensure no unnecessary exposure of sensitive server-side modules.
• If publicly facing vulnerable instances of React Server Components are identified in your infrastructure, initiate an investigation to assess potential compromise and determine whether any exploitation attempts succeeded prior to patching.

Conclusion

Modern applications operate in ecosystems where complex frameworks and numerous dependencies mean new vulnerabilities can surface at any time, making the risk of zero-day exposure a constant reality. This underscores the need for a multi-layer, defense-in-depth security strategy to limit the impact of emerging threats.

Wallarm supports this approach by:

• Proactively protecting against web and API zero-days, often blocking exploitation attempts automatically
• Identifying exposed or unprotected hosts through API Attack Surface Management (AASM), reducing opportunities for attackers
• Ensuring the Wallarm Research Team continuously monitors emerging threats and enhances product protections to keep pace with attackers’ evolving techniques.

With zero-day threats always possible, Wallarm helps organizations stay resilient and ahead of potential attacks.