As a cyber threat intelligence analyst, my daily workflow includes monitoring emerging high-severity vulnerabilities and rapidly validating exploitation trends. When CVE-2025-55182 began dominating global alerts in early December 2025, with global security vendors reporting mass scanning and live exploitation attempts, I immediately prioritized it for hands-on verification.
This is a CVSS 10.0 unauthenticated remote code execution flaw in React Server Components (RSC) and the Next.js App Router ecosystem. To independently confirm real-world exploitability and assess the current risk level, I executed a controlled proof-of-concept against systems still publicly exposing port 3000 (the default Next.js development port).
What is CVE-2025-55182?
An unsafe deserialization bug in React 19’s “Flight” protocol. When the server deserializes incoming Server Component / Server Action payloads, it trusts user-controlled data without validation. Attackers use prototype pollution to hijack the global Function constructor and execute arbitrary OS commands.
Affected Versions
| Package | Vulnerable | Patched |
|---|---|---|
| react-server-dom-webpack | ≥19.0, <19.0.1 | ≥19.0.1 |
| react-server-dom-parcel | ≥19.1.0, <19.1.2 | ≥19.1.2 |
| react-server-dom-turbopack | 19.2.0 | ≥19.2.1 |
A Real-World PoC Example
On December 8, 2025, I personally confirmed live exploitation by using a reliable public PoC currently available at https://github.com/nehkark/CVE-2025-55182/
Here is the exact command I executed against an exposed test server:
python3 poc-cve-2025-55182.py -u http://xxx.xxx.xxx.xxx:3000 -c "uname -a"Actual output received:
Analysis:
- HTTP 500 status indicates a server error triggered by deserialization, consistent with exploitation.
- The partial output suggests truncated command results, possibly due to logging limits or encoding.
Why This Is So Dangerous
- No authentication required.
- One crafted POST request is enough to compromise the system.
- Deploying webshells, data exfiltration, ransomware or cryptojacking.
- A system compromise can lead to further pivoting inside the network.
Immediate Actions (Do These Today)
- Upgrade to React 19.0.1 / 19.1.2 / 19.2.1, and update Next.js to latest release.
- Deploy the emergency WAF rules released by Cloudflare, Fastly, Akamai, and AWS WAF.
- Hunt in your logs for POSTs containing _rsc, Next-Action, or large multipart payloads followed by 500 errors
Final Thoughts
Patch immediately, scan your assets, and refrain from exposing dev ports in production.
Stay safe.