Executive summary
We have been notified by our partners that a newly disclosed vulnerability CVE-2025-55182 affecting multiple React-based frameworks revealed a critical flaw in how React’s Server Functions protocol processes incoming Flight requests. The Next.js team published a separate advisory, CVE-2025-66478, to track the impact of this vulnerability.
There have not been any observed in-the-wild exploitations of this vulnerability. Still, Akamai has deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.
Vulnerability details
At the center of the issue is insecure deserialization, in which attacker-controlled inputs are parsed and expanded without sufficient validation or sanitization. Please note: This vulnerability does not require authentication, which makes it trivial and easier to exploit.
During this process, the deserialization mechanism implicitly expands object properties, making it susceptible to prototype pollution. By injecting malicious keys into the data stream, an attacker can tamper with fundamental object prototypes, altering web application behavior at runtime.
When this primitive is combined with specific execution paths in React Server Components, the attack can be escalated to achieve remote code execution (RCE) on the target server. This risk is especially severe for web applications that rely heavily on React Server Components and the broader Server Functions execution model, where trust boundaries are tightly coupled with serialization protocols. (Further information can be found in the blog post published by the React Team.)
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
The following frameworks and bundlers are impacted:
next
react-router
waku
@parcel/rsc
@vitejs/plugin-rsc
rwsdk
Mitigating with Akamai App & API Protector
On December 3, 2025, Akamai deployed an Adaptive Security Engine Rapid Rule for App & API Protector customers to provide full coverage.
3000976 — React Remote Code Execution Attack Detected (CVE-2025-55182)
Summary
A new rule within Akamai App & API Protector has been deployed to protect our customers from this threat. However, the most effective defense will always be to promptly apply the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.
The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.
Tags
