Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

CVE-2025-55182: React and Next.js Server Functions Deserialization RCE

Share

Executive summary

We have been notified by our partners that a newly disclosed vulnerability CVE-2025-55182 affecting multiple React-based frameworks revealed a critical flaw in how React’s Server Functions protocol processes incoming Flight requests. The Next.js team published a separate advisory, CVE-2025-66478, to track the impact of this vulnerability.

There have not been any observed in-the-wild exploitations of this vulnerability. Still, Akamai has deployed an Adaptive Security Engine Rapid Rule to protect our customers from this threat.

Vulnerability details

At the center of the issue is insecure deserialization, in which attacker-controlled inputs are parsed and expanded without sufficient validation or sanitization. Please note: This vulnerability does not require authentication, which makes it trivial and easier to exploit.

During this process, the deserialization mechanism implicitly expands object properties, making it susceptible to prototype pollution. By injecting malicious keys into the data stream, an attacker can tamper with fundamental object prototypes, altering web application behavior at runtime.

When this primitive is combined with specific execution paths in React Server Components, the attack can be escalated to achieve remote code execution (RCE) on the target server. This risk is especially severe for web applications that rely heavily on React Server Components and the broader Server Functions execution model, where trust boundaries are tightly coupled with serialization protocols. (Further information can be found in the blog post published by the React Team.)

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack

The following frameworks and bundlers are impacted:

  • next

  • react-router

  • waku

  • @parcel/rsc

  • @vitejs/plugin-rsc

  • rwsdk

Mitigating with Akamai App & API Protector

On December 3, 2025, Akamai deployed an Adaptive Security Engine Rapid Rule for App & API Protector customers to provide full coverage.

  • 3000976 — React Remote Code Execution Attack Detected (CVE-2025-55182)

Summary

A new rule within Akamai App & API Protector has been deployed to protect our customers from this threat. However, the most effective defense will always be to promptly apply the patches provided by the vendor. Given the severity of this issue, any patches should be applied as soon as possible.

The Akamai Security Intelligence Group will continue to monitor, report on, and create mitigations for threats such as these for both our customers and the security community at large. To keep up with more breaking news from the Akamai Security Intelligence Group, check out our research home page and follow us on social media.

Tags

Share

Related Blog Posts

Security Research
Conti’s Hacker Manuals — Read, Reviewed & Analyzed
April 05, 2022
Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, The ransomware group was the highest grossing of all ransomware groups in 2021, with an estimated revenue of at least 180 million dollars.
Security Research
What’s That Scraping Sound? How Web Scraper Bots Erode Ecommerce Profits
June 25, 2024
The SOTI report on ecommerce describes the economic impacts, detection challenges, and sophistication of web scraper bots.
Security Research
Xurum: New Magento Campaign Discovered
Akamai researchers have discovered and analyzed a sophisticated new Magento threat that they’ve dubbed Xurum. See attack details and findings in this blog post.