CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Vani — Fri, 05 Dec 2025 21:45:03 GMT

React Server Components (RSC) and Server Functions in React 19 are at the center of a new critical vulnerability, CVE‑2025‑55182, widely referred to as React2Shell. The issue is rated CVSS 10.0 and allows an unauthenticated remote attacker to achieve remote code execution (RCE) on servers handling RSC traffic.

In this post we’ll briefly cover the impact, who is affected, what you should do now, and how CloudGuard WAF (and the open‑source open‑appsec engine) provide preemptive protection, including against the recently released public proof‑of‑concept (PoC) exploits.

Understanding React2Shell (CVE‑2025‑55182)

The React team has disclosed an unauthenticated RCE vulnerability in React Server Components, specifically in how React decodes payloads sent to React Server Function endpoints.

An attacker can:

Send a specially crafted HTTP request to a Server Function endpoint in a vulnerable deployment, and
Have that payload deserialized in a way that leads to arbitrary code execution on the server, with no authentication and no user interaction required.

Because RSC / Server Functions are increasingly used in modern React and Next.js applications as core plumbing, this turns into a high‑impact server‑side vulnerability, comparable in urgency to other critical deserialization bugs.

Affected packages and frameworks

According to the official React advisory and GitHub’s CVE record, the vulnerability affects the following React server‑side packages:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Vulnerable React versions

The issue is present in	fixed in
19.0	19.0.1
19.1.0	19.1.1
19.1.1	19.1.1
19.2.0	19.2.1

Affected frameworks and ecosystems

Several popular frameworks and tools that depend on these RSC packages are also affected, including:

Next.js 15.x and 16.x (App Router)
- Affected ranges include multiple 15.x and 16.x releases, as well as canary builds starting from 14.3.0‑canary.77.
- Patched stable versions include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

React Router (unstable RSC APIs)
Waku
Redwood SDK
@vitejs/plugin-rsc
@parcel/rsc

If your React application:

does not run on a server (pure client‑side only), or
does not use a framework / bundler that supports RSC,

then it is not affected by CVE‑2025‑55182.

CloudGuard WAF & open‑appsec: pre‑emptive protection

CloudGuard WAF and open‑appsec use a signature‑less, machine‑learning‑based engine that analyzes full HTTP requests, including complex, nested payloads such as those used by React Server Components and Server Functions.

Instead of matching only on static strings, the engine:

Fully decodes bodies (JSON, multipart, nested structures).
Understands parameter relationships and request context (method, headers, path, content type).
Scores requests based on patterns consistent with deserialization abuse and remote code execution, not just classic SQLi/XSS signatures.

As public React2Shell PoC exploits for CVE‑2025‑55182 became available, we replayed them in a controlled lab environment against applications using vulnerable React/Next.js stacks. In these tests:

CloudGuard WAF and open‑appsec pre‑emptively blocked the exploit traffic, even before deploying any CVE‑specific virtual patch updates.

This aligns with what we’ve consistently seen in previous zero‑days: once an exploit relies on abnormal protocol usage, deserialization tricks, or server‑side execution primitives, the ML‑based detection has a strong signal - even when the vulnerability itself is newly disclosed.

We are now complementing this existing protection with dedicated complementary rules tailored for React Server Components traffic, further tightening coverage while preserving low false‑positive rates.

What should you do now?

1. Identify whether you are affected

You should treat this as an emergency patching event if:

You are using React 19 with Server Components / Server Functions, and
Your stack relies on any of the affected packages or frameworks listed above.

In particular, you are likely affected if you run:

Next.js with the App Router on versions:
- 15.x or 16.x prior to the patched releases, or
- 14.3 canary builds from 14.3.0‑canary.77 onward.

React applications using experimental RSC features in React Router, Waku, Redwood SDK, Vite RSC plugin, or Parcel RSC.

2. Upgrade immediately

Follow the official guidance from the React and Next.js teams:

React server components packages Upgrade to 19.0.1, 19.1.2, or 19.2.1 for:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

Next.js (App Router) Upgrade to the latest patched release in your branch

If you are on Next.js 14.3.0‑canary.77 or later canaries, downgrade to a stable 14.x release

Other RSC‑enabled frameworks and tools Follow the upgrade instructions from the React blog and each vendor (React Router, Redwood SDK, Waku, @vitejs/plugin-rsc, @parcel/rsc).

3. Harden your perimeter

Even after patching, we strongly recommend keeping CloudGuard AppSec / open‑appsec in Prevent mode for internet‑facing applications using React 19 and RSC‑aware frameworks.

Summary

CVE‑2025‑55182 (React2Shell) is a critical, unauthenticated RCE in React Server Components / Server Functions with a CVSS score of 10.0.
It impacts React 19 server packages (react-server-dom-*) and popular frameworks including Next.js 15.x/16.x App Router and several other RSC‑enabled ecosystems.
Organizations should upgrade immediately to fixed versions of React, Next.js, and any affected RSC tooling, following the official guidance.
In parallel, CloudGuard WAF and open‑appsec have already demonstrated pre‑emptive blocking of the newly released PoC exploit traffic for this CVE, thanks to their contextual, ML‑based detection of deserialization and RCE behavior - providing an important safety net while patches are rolled out and as exploit techniques evolve.

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

the_rock — Sat, 06 Dec 2025 17:19:34 GMT

Excellent!

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Patrice_Roggema — Wed, 10 Dec 2025 08:15:24 GMT

Hi Vani,

I understand that checkpoint offers protection via WAF and IPS signature, but

Is there an official statement from Checkpoint for all of there products ?

Best regards,

Pierre

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

PhoneBoy — Wed, 10 Dec 2025 22:56:31 GMT

We're not vulnerable.

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

the_rock — Wed, 10 Dec 2025 23:09:38 GMT

Excellent.

topic CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182) in WAF

CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Understanding React2Shell (CVE‑2025‑55182)

2. Upgrade immediately

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

Re: CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)