## https://sploitus.com/exploit?id=EED15FBE-6F1D-5ACA-B37C-2BF70CDFD31B
# I. Overview of the Vulnerability
In recent days, there have been many reports of a deserialization RCE vulnerability in React. The official CVSS score reached 10.0, which is comparable to that of Log4j in the past. Many rumors claim that this vulnerability is similar to Log4j in modern frontends, causing panic among developers from various companies. As a result, people are busy checking literature and applying patches immediately. At the same time, there are also many doubts online. Some people tested the vulnerability and found that it wasnât as easy to exploit as claimed. So, I decided to take some time to study this vulnerability in detail.
## 1.1 Vulnerability Information
- **CVE Number**: CVE-2025-55182
- **CVSS Score**: 10.0 (Critical)
- **Vulnerability Type**: Prototype chain pollution â Remote code execution
- **Affected Versions**: `react-server-dom-webpack =19.2.0`
# Upgrade `react-server-dom-turbopack`
npm install react-server-dom-turbopack@>=19.2.0
# Next.js Users
npm install next@>=15.0.5
**Fix Versions**:
- `react-server-dom-webpack`: >= 19.2.0
- `react-server-dom-turbopack`: >= 19.2.0
- `next.js`: >= 15.0.5
When analyzing the above vulnerability, I referred to related examples from whiteov3rflow. I also developed a vulnerability detection tool for the testing environment and uploaded it to the GitHub repository.
Students who need to conduct self-checks can get the tool by replying âAIMi003â in the official account. (Note: Due to the original testing environment, this tool may only be applicable to the original testing environment. Once it is improved, it can be shared with those who need it.) Please use it under legal authorization only. Unauthorized use is prohibited! ## 3. Be cautious and act carefully! As of December 5, 2025, I observed that the ânewsâ about this vulnerability has been volatile. Sometimes it seems like a ânuclear bombâ, sometimes like a âwater holeâ, and then soon it becomes another ânuclear bombâ. There are countless ways to exploit this vulnerability. Currently, according to relevant information, it seems that the ânuclear bombâ might be true. However, the scope of impact is relatively smaller compared to Log4j. Nevertheless, everyone involved should update their systems as soon as possible to avoid future problems!!! Additionally, hereâs a safety advice for developers: never trust user inputs. Log4j, fastjson, and current React RCE vulnerabilities have all been exploited due to this reason. Therefore, during actual business development, strict validation should be applied to dangerous areas using sandboxing or whitelisting methods to prevent tragedies from happening!
## References
- [Official announcement for CVE-2025-55182](https://vulners.com/cve/CVE-2025-55182)
- [React Security Advisory](https://github.com/facebook/react/security)
- [GitHub PoC by ejpir](https://github.com/ejpir/CVE-2025-55182-poc)
- [React Server Components documentation](https://react.dev/reference/rsc/server-components)