Rapid response · 2 MIN READ · AARON WALTON AND MATT JASTRAM · DEC 9, 2025 · TAGS: Vulnerability management
TL;DR
- Security teams need to scan their environment to identify easily discoverable apps running React Server and Next.js
- Less common apps that implement these need to be audited and patched, too
- You can also look for specific ingress log patterns to help identify attempts to exploit this vulnerability in your environment
Expel Intel—like most other security teams—is actively tracking the exploitation and remediation status of a critical vulnerability, CVE-2025-55182, which impacts applications using React Server and Next.js.
The vulnerability is currently under active exploitation.
The vulnerability was responsibly disclosed on Wednesday, December 3, with several major vendors (including AWS, Akamai, and Cloudflare) implementing mitigations at the time of disclosure. However, by Friday, December 5, we observed that proof-of-concepts (PoCs) to exploit the vulnerability had been created and were actively being used against publicly exposed servers, and an estimated 60,000 vulnerable servers were exposed to the public internet.
There is now a wide range of actors targeting the vulnerability which makes hunting on atomic indicators (such as hashes or IP addresses) ineffective.
Exploitation of the vulnerability is similar to exploitation of a webserver. The code executed by an attacker is spawned from the process running the application. In the case of a webserver, the attacker’s code runs as a child process of the web server’s main application. In the case of these applications, the attacker’s code runs a child of node.exe.
Organizations using React Server or Next.js must treat this as a critical priority. If you haven’t patched these, you need to. Vulnerability scanners should be used both for assets hosted on premise and in the Cloud to identify vulnerable apps used by your organization. Expel Intel is continually monitoring CVE-2025-55182 and notifying our customers who have onboarded vulnerability scanners.
What to look for
Security teams need to scan their environment to identify easily discoverable apps running React Server and Next.js. Less common apps that implement these need to be audited and patched, too. Patching these should be your first priority.
If you are hunting for past activity targeting your environment, patterns in ingress traffic logs can help identify this vulnerability. Look for:
- Suspicious request headers (used by the React Server Components protocol to route requests):
- “next-action”
- “Rsc-action-id”
- Malicious payload patterns in the request body:
- $@ (Dollar sign followed by at symbol – often used in the serialized payload).
- “Status”:”resolved_model” When you search for “status”: “resolved_model” in your ingress logs, you are looking for external users pretending to be internal server processes. There is not a legitimate reason for an external client to send a JSON body containing this specific internal status flag to the server.
- “then”: followed by function constructors (this is a key part of the deserialization exploit).
- Unexpected serialized data containing references to system commands (e.g., cmd, sh, bash).
What about CVE-2025-66478?
This CVE number is sometimes used in discussions, but it was officially rejected as a duplicate of CVE-2025-55182. The CVE was created specifically regarding the vulnerability in Next.js, but CVE-2025-55182 covers them both.
Additional resources
Due to the severity of the vulnerability, many teams have analyzed the vulnerability, current exploitation, and scale of the problem. We recommend checking out the following resources to learn more about the vulnerability.
React’s original disclosure of the vulnerability: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Wiz’s high level overview: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
Wiz’s deep dive: https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
Guillermo Rauch’s (from Vercel) analysis of the vulnerability: https://x.com/rauchg/status/1997362942929440937
ShadowServer’s tracking of vulnerable systems: https://infosec.exchange/@shadowserver/115690544827801847
