Blog Post

The Human Connection Blog
2 MIN READ

New CTI Lab: CVE-2025-55182 (React - Next.js)

benhopkins's avatar
benhopkins
Icon for Immerser rankImmerser
11 days ago

Today, Immersive's Container 7 Research Team have released a lab covering a critical vulnerability in React Server Components (RSC)

On December 3, 2025, the cybersecurity world received news of a critical vulnerability in the React 19 ecosystem. This critical flaw, tracked as CVE-2025-55182 with a CVSS score of 10.0, affects React Server Components (RSC). A major issue, this flaw allows unauthenticated attackers to achieve Remote Code Execution (RCE) on vulnerable servers by sending a specially crafted HTTP request.

AI Hallucination

Within the first 24 hours of the vulnerability being announced, a POC was published to GitHub, which looked convincing and, when tested, appeared to achieve the goal successfully, resulting in Code Execution. It turned out that this POC, which was picked up and circulated by researchers and social media, was actually an AI Hallucination. The AI had crafted a deliberately misconfigured and vulnerable server and a POC that appeared to match the requirements of the exploit, but only actually triggered the misconfiguration.

What is this about?

CVE-2025-55182 is a critical Insecure Deserialization vulnerability. It affects React Server Components (RSC) within the React 19 ecosystem. The flaw is located in the server-side logic that handles the React Flight protocol, which is used for client-to-server interactions, specifically Server Functions or Server Actions. An unauthenticated attacker can execute a specially crafted HTTP request containing a malicious, serialized payload. The vulnerable server-side code fails to validate this payload, allowing the attacker to achieve remote code execution on the server.

Why is this critical for you and your team?

This critical vulnerability has a CVSS score of 10, is fairly trivial to exploit, and has significant impacts when successfully exploited, given that its impact includes unauthenticated remote code execution. If your team uses React, React Server Components (RSC), or similar, are at risk. This flaw impacts the standard, default configurations of high-profile frameworks like the Next.js App Router, which many organizations rely on for building high-performance sites.

Who is the content for?

  • Security Analysts
  • Penetration Testers
  • Incident Responders
  • Vulnerability Management Teams

Here is a link to the lab:

Updated 11 days ago
Version 1.0
cyber threat intelligence
news & announcements
benhopkins's avatar
Icon for Immerser rankImmerser
Ben Hopkins currently works as a Cyber Threat Intelligence Researcher at Immersive Before working at Immersive, Ben spent 6 years as a Police Officer. He started on response, responding to 999 calls for service, such as thefts and burglaries in progress, assaults, road traffic incidents, and domestics. He then spent time working in intelligence-led policing, tackling organised criminality, modern slavery, and county lines. Ben regularly researches and investigates cybercriminals and the tooling they use. He shares this information with the cyber community through malware reports, blogs, and talks to internal stakeholders, external events, and the Human Connection Community.
View Profile
The Human Connection Blog
Learn from our experts
No CommentsBe the first to comment