Protect Against Critical Unauthenticated RCE in React & Next.js (CVE-2025-55182) with Traceable WAF | Harness Blog

Protect Against Critical Unauthenticated RCE in React & Next.js (CVE-2025-55182) with Traceable WAF

The cybersecurity landscape was rocked on December 3rd, 2025, by the disclosure of another critical remote code execution (RCE) vulnerability affecting React Server Components and Next.js applications. With CVSS scores of 10.0, the maximum severity rating, CVE-2025-55182 (React) and the related CVE-2025-66478 (Next.js, later marked as a duplicate) represent an immediate, severe threat to modern web applications. At Harness, we have comprehensive protections in Traceable WAF that were already shielding your applications from these vulnerabilities, even before the CVEs were created.

Understanding the Threat

These vulnerabilities, discovered by security researcher Lachlan Davidson, strike at the heart of React's new server-side rendering architecture. The flaws exist in the React Server Components (RSC) "Flight" protocol, which handles data serialization and deserialization between the server and client. What makes these vulnerabilities particularly dangerous is their combination of the following critical characteristics:

• Unauthenticated exploitation: No credentials or authentication required
• Remote code execution: Full server compromise possible
• Default configurations are vulnerable: Standard deployments are immediately at risk
• Near-100% exploitation reliability: Attacks have shown consistent success rates
• Broad ecosystem impact: Affects React 19, Next.js, and numerous dependent frameworks

The vulnerability stems from insecure deserialization in the RSC protocol's handling of incoming payloads. When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly, allowing attacker-controlled data to influence server-side execution logic and execute arbitrary JavaScript code.

Affected Versions

React Server Components:

• Vulnerable Versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
• Affected packages: react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack
• Fixed versions: 19.0.1, 19.1.2, 19.2.1

Next.js (App Router):

• Vulnerable Versions: 15.x, 16.x, and 14.3.0-canary.77+
• Fixed versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Other affected frameworks: 

• React Router
• Waku
• RedwoodJS (rwsdk)
• Parcel (@parcel/rsc)
• Vite RSC Plugin (@vitejs/plugin-rsc)

Immediate Protection with Traceable WAF's Multi-Layered Defense

Protection by Default - Already Active Before Disclosure

The most important news: If you had Traceable WAF enabled, you were already protected against well-known exploits at this moment. Our advanced payload analysis engine was already defending against this vulnerability class through multiple existing rules that included:

• Server Side Template Injection (SSTI) Attempt: Blocks injection patterns, including those used in RSC deserialization attacks
• Node.js Injection Attack: Prevents code injection attempts targeting the Node.js runtime

This proactive protection demonstrates the value of comprehensive security rules that defend against entire vulnerability classes rather than just specific CVEs.

Dedicated CVE-Specific Analysis

Following the disclosure, our security research team identified multiple possible exploitation techniques and developed additional specific detection signatures. The following signatures protect against the payload patterns characteristic of CVE-2025-55182 exploitation attempts across different components:

• React & Next.js Server Functions Deserialization RCE: (CVE-2025-55182)
• ReactJS Server Functions Deserialization RCE: (CVE-2025-55182)

Ensure these two rules are set with the action Block

AI-Powered Anomaly Detection

Beyond signature-based detection, Traceable's behavioral analysis identifies attempts to bypass detection or discover new attack vectors. Our anomaly detection engine monitors for:

• Unexpected or unknown parameters: Identifying parameters not seen in normal traffic
• Unseen parameter contents: Detecting unusual values in known parameters
• Unusual request sizes: Flagging requests that deviate from typical patterns
• Abnormal execution paths: Recognizing when requests trigger unexpected behavior

Testing Your Applications for Vulnerability

ASPEN Labs CVE-2025-55182 Checker

Our security researchers at ASPEN Labs by Harness have developed an open-source tool to help organizations test whether their applications are vulnerable to CVE-2025-55182. This tool provides a safe, controlled way to verify if your React and Next.js applications are vulnerable.

Tool Repository: Github(https://github.com/aspen-labs/CVE-2025-55182-checker)

Quick Testing Guide

1. Clone the checker tool:

git clone https://github.com/aspen-labs/CVE-2025-55182-checker.git

cd CVE-2025-55182-checker

2. Run the vulnerability check:‍

# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh

# Test a specific endpoint
uv run check https://your-app.com

# Test multiple endpoints from a file
uv run check --file targets.txt.example -o vulnerable.txt

‍

The Harness Advantage is Research-Driven Security

At Harness, our unique approach to security, where researchers function as both researchers and developers, enables rapid development of defences and response to vulnerabilities. Our security research team doesn't just analyze these vulnerabilities; they immediately evaluate and translate their findings into practical protections deployed across our WAF infrastructure.

This research-to-product pipeline means:

• Faster protection deployment: Hours, not days, from disclosure to protection
• Higher efficacy rates: Researchers who understand the vulnerability build the defense
• Continuous improvement: Real-world data feeds back into research
• Proactive defense: Identifying vulnerability classes before they're exploited

Continuous Protection is Necessary

The disclosure of CVE-2025-55182 serves as a stark reminder of the evolving threat landscape facing modern web applications. As frameworks become more sophisticated, so do the attack vectors targeting them. Traceable by Harness WAF represents not just a response to today's threats, but a platform built for tomorrow's challenges.

Our commitment to our customers includes:

• 24/7 threat monitoring: Continuous surveillance for emerging threats
• Rapid rule deployment: Protection updates within hours of disclosure
• Research-driven innovation: Leveraging cutting-edge security research
• Community collaboration: Sharing threat intelligence for collective defense

Take Action Now

The critical nature of these vulnerabilities demands immediate action. Organizations running React Server Components or Next.js applications should:

1. Enable Traceable WAF protection immediately if not already active
2. Review protection logs for any exploitation attempts
3. Plan patching schedule for affected applications
4. Contact our security team for customized protection strategies

Be Ready for the Next Vulnerability

CVE-2025-55182 represents one of the most severe vulnerability disclosures in recent memory for the JavaScript ecosystem. With their combination of ease of exploitation, widespread impact, and critical severity, these vulnerabilities pose an immediate threat to organizations worldwide.

Traceable by Harness WAF provides comprehensive, immediate protection against these vulnerabilities through multiple layers of defense, from signature-based detection to AI-powered behavioral analysis. While patching remains essential for long-term security, our WAF ensures your applications remain protected during this critical period.

At Harness, we understand that security is not just about responding to threats; it's about staying ahead of them. Our research-driven approach, combined with our advanced WAF capabilities, ensures that your applications remain secure not only against today's disclosed vulnerabilities but also against tomorrow's emerging threats.

Stay protected. Stay ahead. Choose Traceable by Harness WAF.

For more information about Traceable WAF protection against CVE-2025-55182, or guidance, contact our team at security@harness.io

‍