CVE-2025-55182: Unauthenticated React Exploit Affects Millions of Sites

A new vulnerability tracked as CVE-2025-55182 is sending shockwaves through the security community. This critical flaw carries a CVSS score of 10.0, the highest possible severity rating, and enables unauthenticated attackers to execute arbitrary code on affected servers.

Because React Server Components (RSC) and frameworks like Next.js sit at the heart of millions of modern applications, the blast radius is massive. Early estimates indicate that more than 12 million websites may be vulnerable.

On HackerOne, this vulnerability has already become the #1 most exploited CVE across the entire platform, with organizations acknowledging submissions at the recommended critical severity level. And remediation is occurring in under a day on average, reflecting how urgent and dangerous this issue has become for security teams.

Meanwhile, automated risk-scoring systems are still catching up. EPSS initially rated this CVE at just 0.46%, and even as of now has risen only to 13.86%—still far below what active exploitation levels warrant. 

This gap underscores a growing truth: EPSS is a lagging indicator, and organizations need faster, community-driven feedback loops to stay ahead of real-world attack activity. Crowdsourced models like bug bounty programs continue to serve as a critical early-warning system when traditional scoring signals fail to keep pace.

What Versions Are Affected

• React packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. This is patched in React 19.2.1.
• Next.js: All versions supporting React Server Components prior to patched releases, including but not limited to 15.0.0 through 15.5.6 and 16.0.0 through 16.0.6.

If your application uses any of these versions and specifically relies on React Server Components or Server Functions, you are likely at risk.

Why This Vulnerability Stands Out

• Unauthenticated RCE: Exploitation doesn’t require credentials or elevated privileges.
• Affects Default Installs: Many apps using React Server Components are vulnerable out of the box.
• Widespread Use: React and Node.js power a large percentage of modern SaaS, e-commerce, and enterprise platforms.
• Active Exploitation: Nation-state actors and threat groups have reportedly begun using this flaw. According to AWS, China-nexus cyber threat groups have already been observed exploiting the vulnerability in the wild.
• High Potential for Large-Scale Exploitation: While no wormable campaigns have been publicly confirmed, the vulnerability's ease of use and broad exposure make it a strong candidate for automated attacks.

Immediate Actions for React/Next.js Teams

If your organization uses React Server Components or frameworks like Next.js, take the following steps immediately:

1. Run a HackerOne Spot Check
   • Identify whether CVE-2025-55182 is present across your web applications.
   • Validate that any mitigation or patch has been applied correctly.
   • Detect unknown or misclassified assets using affected frameworks.
2. Patch Immediately
   • Upgrade to the latest patched versions of React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.5.7, 16.0.7, etc.).
   • Ensure you’re not relying on outdated or unmaintained RSC packages.
3. Audit Your Architecture
   • Reassess your front-end/backend interactions and the use of serialized payloads.
   • Identify exposed endpoints that may be unintentionally vulnerable.
4. Conduct an Incident Response Investigation
   • If you find you were affected, investigate immediately for signs of compromise.
   • Check logs for suspicious POST requests to RSC endpoints. 

Indicators of Compromise

Network Indicators

• HTTP POST requests to application endpoints with next-action or rsc-action-id headers
• Request bodies containing $@ patterns
• Request bodies containing "status":"resolved_model" patterns

Host-Based Indicators

• Unexpected execution of reconnaissance commands (whoami, id, uname)
• Attempts to read /etc/passwd
• Suspicious file writes to /tmp/ directory (e.g., pwned.txt)
• New processes spawned by Node.js/React application processes

Threat Actor Infrastructure

What This Reveals About Exposure Management

CVE-2025-55182 underscores the critical need for complete visibility into your tech stack and a well-maintained asset inventory. Vulnerabilities like this aren’t new—but their ability to scale rapidly and fly under the radar makes them uniquely dangerous.

This is also a textbook example of why crowdsourced security plays a pivotal role in any Continuous Threat Exposure Management (CTEM) strategy. Without external testing and validation, vulnerabilities like this often linger unnoticed, even after patching. Don’t let this be one of them.