Full Report
React is a popular JavaScript library used to build modern, interactive web interfaces. It helps developers create UI components that update efficiently when data changes. React runs mostly in the browser, handling: UI rendering State updates User interactions Next.js is a full-stack framework built on React. It adds server-side capabilities. This allows developers to build faster, […] The post The CVSS 10 React Vulnerability: CVE-2025-55182 appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Vulnerability: CVSS 10 React Server Components (RSC) Deserialization leading to RCE
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: CWE-502 (Deserialization of Untrusted Data) (Implied by object traversal/RCE root cause)
## Affected Systems
- Products: React (specifically implementations using React Server Components/Flight protocol), Next.js (default exposure of RSC endpoints).
- Versions: Not explicitly specified, but any version implementing the vulnerable RSC parser prior to patches.
- Configurations: Applications utilizing React Server Components (RSC) or the Flight protocol, especially Next.js applications where RSC endpoints are exposed by default.
## Vulnerability Description
CVE-2025-55182 is a critical deserialization and object traversal vulnerability within the parser for the React Server Component (RSC) protocol (Flight protocol). The parser failed to adequately validate path markers supplied in multipart/form-data requests. Attackers can supply malicious path markers, such as `$1::__proto__` or `$1::constructor`, allowing them to traverse JavaScript’s prototype chain on the server. This leads to prototype pollution, ultimately enabling access to the `Function` constructor, which allows for the execution of arbitrary code on the server.
## Exploitation
- Status: PoC available (Mentioned real-world PoCs observed achieving RCE).
- Complexity: Low (Described as trivial once the endpoint is exposed, requiring only crafted multipart requests).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential to leak environment variables, database credentials, source code, system files, and cloud metadata).
- Integrity: High (Allows execution of arbitrary code, leading to full system compromise).
- Availability: High (Can lead to denial of service or irreparable system compromise).
## Remediation
### Patches
- Upgrade to the latest versions of React, Next.js, and any framework utilizing the RSC/Flight protocol where fixes have been applied. (Specific patched version numbers are not listed in the source material).
### Workarounds
- Disable or restrict RSC endpoints if the application does not rely on RSC features.
- Apply WAF/IPS rules to block multipart requests containing: `$1::__proto__` and `$1::constructor`.
- Isolate any detected affected systems immediately, treating them as compromised.
## Detection
- Indicators of Compromise: Observance of strange multipart/form-data requests targeting RSC endpoints, attempts to invoke Node.js modules (`fs`, `child_process`, `process`) via server logs.
- Detection methods and tools: WAF/IPS signatures deployed by Seqrite include: `HTTP/CVE-2025-55182!VS.50159`, `HTTP/CVE-2025-55182!VS.50160`, `HTTP/CVE-2025-55182!VS.50161`, `HTTP/CVE-2025-55182!VS.50162`.
## References
- Vendor advisories: (Not explicitly linked, patch status implies official vendor communication exists)
- Relevant links - defanged: hxxps://www.seqrite.com/blog/the-cvss-10-react-vulnerability-cve-2025-55182/