"In its original PoC, Davidson showcased how the serialization/deserialization protocol used by React Server Components could be exploited to create a promise-like object that, when awaited, would allow an attacker to execute arbitrary code by calling native functions such as child_process.execSync. While the fix seems simple enough (add hasOwnProperty checks to avoid JavaScript's object prototype pollution), the exploit itself is also straightforward, with public exploit code available (some of which are AI-generated) from many sources."
"Analysis of data from MadPot reveals the persistent nature of these exploitation attempts. In one notable example, an unattributed threat cluster associated with IP address 183[.]6.80.214 spent nearly an hour (from 2:30:17 AM to 3:22:48 AM UTC on December 4, 2025) systematically troubleshooting exploitation attempts: 116 total requests across 52 minutes Attempted multiple exploit payloads Tried executing Linux commands (whoami, id) Attempted file writes to /tmp/pwned.txt Tried to read/etc/passwd"
An unauthenticated remote code execution vulnerability (CVE-2025-55182) exists in React Server Components. The flaw affects React 19.0.0 through 19.2.0 and Next.js 15.x and 16.x when using App Router. The vulnerability abuses the RSC serialization/deserialization protocol to create a promise-like object that can invoke native functions like child_process.execSync. Public proof-of-concept and exploit code are available, including AI-generated variants. Active exploitation attempts have been observed, including persistent scanning and command execution attempts linked to China state-nexus threat groups. Immediate patching and mitigation are strongly recommended for affected deployments.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]