Active exploitation of CVE-2025-55182 is now enabling attackers to gain full remote code execution on React Server Component–based applications.
More than 644,000 domains and 165,000 IPs are currently exposed. The vulnerability impacts Next.js, Waku, Vite RSC implementations, and custom React servers, making it a cross-framework, internet-scale threat.
What Is Actually Going Wrong
The flaw stems from unsafe input deserialization inside the RSC request processing layer. A malicious payload triggers uncontrolled code paths in the decodeReply logic, enabling:
- Gadget-chain execution
- Command execution before authentication
- Bypass of traditional security controls
- Direct access to cloud runtime environments
Because RSC sits deep inside the server-side rendering flow, the vulnerability becomes architectural, not surface-level.
How the Attack Is Playing Out
Threat researchers have already observed attackers:
- Opening interactive shells inside containers
- Dumping environment variables, tokens, and secrets
- Querying AWS/GCP metadata services
- Stealing SSH, Git, and CI/CD credentials
- Deploying cryptominers into Kubernetes workloads
- Installing Sliver C2 implants for persistence
This is active, ongoing exploitation, not hypothetical analysis.
Why This Vulnerability Is So Dangerous
- It affects multiple frameworks that implement RSC
- RCE occurs before application authentication
- Discovery of RSC endpoints is trivial
- Cloud-native workloads are directly exposed
- Automated mass exploitation has already begun
The blast radius includes cloud accounts, pipelines, secrets, and session tokens.
What Security Teams Must Do Immediately
1. Patch and Freeze
- Apply React’s official patches
- Block CI/CD from redeploying older RSC packages
- Scan package-lock.json, pnpm-lock.yaml, yarn.lock for vulnerable versions
2. Harden Runtime & Network
- Add temporary WAF rules to filter RSC payloads
- Restrict access to server-side rendering endpoints
- Reduce outbound egress from containers
- Enforce filesystem restrictions
3. Improve Detection
Monitor for:
- Unusual rendering spikes
- Suspicious process creation
- Unexpected environment variable access
- Metadata service queries
4. Re-educate Development Teams
Ensure consistent patching and endpoint awareness across all environments.
The Strategic Lesson
We are witnessing how framework abstractions can become attack surfaces. As modern JavaScript frameworks centralize logic, a single vulnerability in the server-side rendering model can compromise:
- Multiple apps
- Multiple pipelines
- Entire cloud environments
This is no longer about patching. It’s about rethinking trust boundaries in modern frameworks.
About COE Security
COE Security supports organisations in:
- Finance
- Healthcare
- Government
- Consulting
- Technology
- SaaS
- Real estate
We help strengthen:
- Cloud workload security
- Email and application security
- Threat detection maturity
- Secure development practices
- Compliance programs (ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS)
We design security that aligns with how modern attacks actually work.
Follow COE Security on LinkedIn for advanced insights on emerging threats.