Responding to CVE-2025-55182: React4Shell

On December 3, 2025, Meta disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. With a CVSS score of 10.0, this vulnerability affects React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, as well as frameworks like Next.js that rely on React Server Components.

The vulnerability stems from insecure deserialization in React's Flight protocol. An attacker can send a specially crafted HTTP request to a vulnerable server and execute arbitrary code without any authentication. The scariest part? Default configurations are vulnerable out of the box.

Why this is hard to detect

Unlike many web vulnerabilities that leave obvious traces in URLs or headers, CVE-2025-55182 exploitation happens in the request body itself. The malicious payload is a carefully crafted serialized object that exploits deserialization logic. This makes it significantly harder to detect because:

1. Most logs don't include request bodies - Standard access logs from web servers and load balancers typically only log request metadata (method, path, status code, etc.)
2. Not all services ship request bodies - Many organizations don't forward full request bodies to their SIEM or log aggregation platform due to performance, privacy, or cost concerns
3. The payload looks like normal data - The exploit uses JSON structures that resemble legitimate React Server Components payloads, making it hard to distinguish without deep inspection

This means traditional log analysis might miss exploitation attempts entirely unless you're specifically looking for them at the right layer.

Our response: First 24 hours

When we learned about CVE-2025-55182, we immediately took action on two fronts.

Internal mitigation

First, we audited our internal systems. We upgraded all React dependencies to patched versions (19.0.1, 19.1.2, or 19.2.1 depending on the project). Any service using Next.js was updated to version 15.0.5 or later. We deployed these updates within hours of the disclosure.

Customer protection

For our bring-your-own-cloud customers who run RunReveal infrastructure in their own environments, we coordinated emergency updates. We patched our application container images and applied the updates to their environment to ensure their instances were protected as quickly as possible.

Detection coverage for WAF users

While patching is the primary mitigation, we also built detection rules to help identify potential exploitation attempts. These are particularly valuable during incident response or when you want visibility into active scanning and exploitation attempts against your infrastructure.

We released three detection rules covering the most common Web Application Firewall deployments:

Cloudflare WAF detection

For customers using Cloudflare's WAF, we created two detection rules:

1. Cloudflare Firewall Events (cf-firewall-cve-2025-55182) - Monitors firewall logs for rule IDs 33aa8a8a948b48b28d40450c5fb92fba and 2b5d06e34a814a889bee9a0699702280
2. Cloudflare HTTP Logs (cf-http-cve-2025-55182) - Analyzes HTTP request logs for the same security rule triggers

These detections fire when Cloudflare's managed rules identify potential CVE-2025-55182 exploitation patterns. You'll see alerts for both blocked and logged requests, giving you visibility into:

• Active exploitation attempts against your applications
• Geographic distribution of attackers
• Timing and frequency of attacks
• Which endpoints are being targeted

AWS WAF detection

For AWS customers, we built a detection (aws-waf-cve-2025-55182) that monitors AWS WAF logs for the ReactJSRCE_BODY rule in the AWSManagedRulesKnownBadInputsRuleSet rule group. This rule was specifically added by AWS to detect this vulnerability.

Important caveat

These WAF detections don't necessarily indicate successful exploitation. Modern WAFs are good at blocking malicious requests before they reach your application and the service providers are also responding quite promptly to this threat. What these detections give you is:

• Situational awareness - Know when your infrastructure is being actively targeted
• Incident response context - During an investigation, these events help establish a timeline
• Attack pattern analysis - Understand how attackers are probing your defenses

Custom detection for nginx users

If you're not behind Cloudflare or AWS WAF, you can still detect exploitation attempts if you have full request body logging enabled in nginx.

Step 1: Configure nginx body logging

First, enable request body logging in your nginx configuration. Here's an example:

# Set buffer sizes for body storage
client_body_buffer_size 1M;
client_max_body_size 10M;

# Create log format with body
log_format json_with_body escape=json
  '{'
    '"time_local":"$time_local",'
    '"remote_addr":"$remote_addr",'
    '"request":"$request",'
    '"status":"$status",'
    '"request_body":"$request_body",'
    '"http_user_agent":"$http_user_agent"'
  '}';

# Apply to your location
location /api {
    access_log /var/log/nginx/api_with_body.log json_with_body;
}

Important: This significantly increases log volume and may capture sensitive data. Proceed cautiously with this.

Step 2: Forward logs to RunReveal

Configure your log shipper (Vector, Fluent Bit, etc.) to send these nginx logs to RunReveal using a generic log source. Make sure the request_body field is included in the ingested data.

Step 3: Create a custom detection

In RunReveal, create a custom Streaming detection using Sigma format:

title: Nginx CVE-2025-55182 React Server RCE Detection
id: nginx-cve-2025-55182
description: Detects exploitation attempts of CVE-2025-55182 in nginx logs with full request body logging
tags:
  - attack.initial-access
  - attack.execution
  - nginx
  - network-activity
  - signal
  - cve-2025-55182
sourcetypes:
  - nginx
detection:
  selection_constructor:
    rawLog.request_body|contains: ':constructor:constructor'

  selection_internal_fields:
    rawLog.request_body|contains:
      - '"_prefix"'
      - '"_formData"'
      - '"resolved_model"'

  selection_serialized:
    rawLog.request_body|re: '\$[0-9]+'

  condition: selection_constructor or (selection_serialized and selection_internal_fields)
level: critical
riskscore: 80

What this detects

This detection looks for the key exploitation patterns:

1. Constructor chain exploitation - The pattern :constructor:constructor is a dead giveaway of deserialization attacks
2. React internal fields - Fields like _prefix, _formData, and resolved_model shouldn't appear in normal user requests
3. Serialized object references - The $[digit] notation combined with internal fields indicates RSC payload manipulation

When this detection fires, investigate immediately:

• Check if the request reached your application server
• Review application logs for errors or unusual behavior around that timestamp
• Verify your React and Next.js versions are patched
• Consider blocking the source IP if exploitation attempts continue

Moving forward

CVE-2025-55182 is a stark reminder that even widely-trusted frameworks can have critical vulnerabilities. The good news is that patches are available and the React team responded quickly.

For RunReveal customers, these detections are now live in our detection packs. If you're using Cloudflare or AWS WAF, the detections will automatically start alerting on relevant events. For nginx users, follow the steps above to implement custom detection.

If you need help implementing these detections or want to discuss your specific environment, reach out to us.

We're closely monitoring events related to this vulnerability and will continue to update our detection coverage and guidance as new information emerges.

Update: Additional vulnerabilities disclosed (December 11, 2025)

On December 11, 2025, the React team disclosed two additional vulnerability classes affecting React Server Components. We detected the advisory at 10:45PM UTC and immediately began our response.

The new vulnerabilities

CVE-2025-55184 and CVE-2025-67779: Denial of Service (CVSS 7.5)

These vulnerabilities allow an attacker to send a malicious HTTP request to Server Functions endpoints that causes an infinite loop. The result is a hung server process with 100% CPU consumption, effectively taking down the application.

CVE-2025-55183: Source Code Exposure (CVSS 5.3)

This vulnerability enables attackers to extract the source code of Server Functions through specially crafted requests. The exposed code can include sensitive information like database connection strings, API keys, and business logic that should remain server-side only.

Critical detail: Previous patches were incomplete

Importantly, the patches released on December 3rd (versions 19.0.2, 19.1.3, and 19.2.2) contained incomplete fixes. Organizations that patched to these versions remain vulnerable to the newly disclosed DoS and source code exposure issues.

The React team released new patches that address all three vulnerabilities:

• 19.0.3 (for 19.0.x users)
• 19.1.4 (for 19.1.x users)
• 19.2.3 (for 19.2.x users)

Our response

We patched all internal RunReveal systems immediately upon discovery at 10:45PM UTC on December 11th. All React and Next.js dependencies were upgraded to the latest patched versions within the hour.

For our bring-your-own-cloud customers, we coordinated another round of emergency updates. Updated container images and deployment instructions were provided within a few hours, ensuring their instances received the complete fixes for all three vulnerabilities.

Next steps

We're evaluating additional detection coverage for these new vulnerability classes and will update this post if we release new detection rules.

References

• CVE-2025-55182 NVD Entry
• React Official Security Advisory (December 3, 2025)
• React Security Update (December 11, 2025)
• Original PoC by Lachlan Davidson
• AWS WAF Managed Rules Documentation
• Cloudflare Firewall Events Documentation