This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vani
Employee
Employee
2 weeks ago

CloudGuard WAF Pre-emptively Block the React2Shell Zero-Day (CVE-2025-55182)

React Server Components (RSC) and Server Functions in React 19 are at the center of a new critical vulnerability, CVE‑2025‑55182, widely referred to as React2Shell. The issue is rated CVSS 10.0 and allows an unauthenticated remote attacker to achieve remote code execution (RCE) on servers handling RSC traffic.

In this post we’ll briefly cover the impact, who is affected, what you should do now, and how CloudGuard WAF (and the open‑source open‑appsec engine) provide preemptive protection, including against the recently released public proof‑of‑concept (PoC) exploits.

 
Vani_0-1764928941211.png

 

Understanding React2Shell (CVE‑2025‑55182)

 

The React team has disclosed an unauthenticated RCE vulnerability in React Server Components, specifically in how React decodes payloads sent to React Server Function endpoints.

An attacker can:
 

  • Send a specially crafted HTTP request to a Server Function endpoint in a vulnerable deployment, and

  • Have that payload deserialized in a way that leads to arbitrary code execution on the server, with no authentication and no user interaction required.

 
 Because RSC / Server Functions are increasingly used in modern React and Next.js applications as core plumbing, this turns into a high‑impact server‑side vulnerability, comparable in urgency to other critical deserialization bugs.
 
 
Affected packages and frameworks
 
According to the official React advisory and GitHub’s CVE record, the vulnerability affects the following React server‑side packages:
 
 
 

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack

 
 Vulnerable React versions

The issue is present in

fixed in

19.0

19.0.1

19.1.0

 

19.1.1

 

19.1.1

19.1.1

19.2.0

 

19.2.1
 
Affected frameworks and ecosystems
 
 Several popular frameworks and tools that depend on these RSC packages are also affected, including:
 

  • Next.js 15.x and 16.x (App Router)

    • Affected ranges include multiple 15.x and 16.x releases, as well as canary builds starting from 14.3.0‑canary.77.

    • Patched stable versions include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

 

  • React Router (unstable RSC APIs)

  • Waku

  • Redwood SDK

  • @vitejs/plugin-rsc

  • @parcel/rsc

 

If your React application:

 

  • does not run on a server (pure client‑side only), or

  • does not use a framework / bundler that supports RSC,

 

then it is not affected by CVE‑2025‑55182.

 
 
CloudGuard WAF & open‑appsec: pre‑emptive protection
 
 CloudGuard WAF and open‑appsec use a signature‑less, machine‑learning‑based engine that analyzes full HTTP requests, including complex, nested payloads such as those used by React Server Components and Server Functions.
 

Instead of matching only on static strings, the engine:

 

  • Fully decodes bodies (JSON, multipart, nested structures).

  • Understands parameter relationships and request context (method, headers, path, content type).

  • Scores requests based on patterns consistent with deserialization abuse and remote code execution, not just classic SQLi/XSS signatures.

 

As public React2Shell PoC exploits for CVE‑2025‑55182 became available, we replayed them in a controlled lab environment against applications using vulnerable React/Next.js stacks. In these tests:

 
CloudGuard WAF and open‑appsec pre‑emptively blocked the exploit traffic, even before deploying any CVE‑specific virtual patch updates.
 

This aligns with what we’ve consistently seen in previous zero‑days: once an exploit relies on abnormal protocol usage, deserialization tricks, or server‑side execution primitives, the ML‑based detection has a strong signal - even when the vulnerability itself is newly disclosed.

We are now complementing this existing protection with dedicated complementary rules tailored for React Server Components traffic, further tightening coverage while preserving low false‑positive rates.
 
 
What should you do now?
 
 
1. Identify whether you are affected
 
 You should treat this as an emergency patching event if:
 

  • You are using React 19 with Server Components / Server Functions, and

  • Your stack relies on any of the affected packages or frameworks listed above.

 
 In particular, you are likely affected if you run:
 

  • Next.js with the App Router on versions:

    • 15.x or 16.x prior to the patched releases, or

    • 14.3 canary builds from 14.3.0‑canary.77 onward.

 

  • React applications using experimental RSC features in React Router, Waku, Redwood SDK, Vite RSC plugin, or Parcel RSC.

2. Upgrade immediately

Follow the official guidance from the React and Next.js teams:
 

  • React server components packages Upgrade to 19.0.1, 19.1.2, or 19.2.1 for:

    • react-server-dom-webpack

    • react-server-dom-parcel

    • react-server-dom-turbopack

 

  • Next.js (App Router) Upgrade to the latest patched release in your branch

    If you are on Next.js 14.3.0‑canary.77 or later canaries, downgrade to a stable 14.x release

 

  • Other RSC‑enabled frameworks and tools Follow the upgrade instructions from the React blog and each vendor (React Router, Redwood SDK, Waku, @vitejs/plugin-rsc, @parcel/rsc).

 
 3. Harden your perimeter
 
Even after patching, we strongly recommend keeping CloudGuard AppSec / open‑appsec in Prevent mode for internet‑facing applications using React 19 and RSC‑aware frameworks.
 
 
Summary
 

  • CVE‑2025‑55182 (React2Shell) is a critical, unauthenticated RCE in React Server Components / Server Functions with a CVSS score of 10.0.

  • It impacts React 19 server packages (react-server-dom-*) and popular frameworks including Next.js 15.x/16.x App Router and several other RSC‑enabled ecosystems.

  • Organizations should upgrade immediately to fixed versions of React, Next.js, and any affected RSC tooling, following the official guidance.

  • In parallel, CloudGuard WAF and open‑appsec have already demonstrated pre‑emptive blocking of the newly released PoC exploit traffic for this CVE, thanks to their contextual, ML‑based detection of deserialization and RCE behavior - providing an important safety net while patches are rolled out and as exploit techniques evolve.

 
 
 
 
 
4 Replies
the_rock
MVP Platinum
MVP Platinum
2 weeks ago

Excellent!

Best,
Andy
0 Kudos
Patrice_Roggema
Explorer
Explorer
a week ago

Hi Vani,

I understand that checkpoint offers protection via WAF and IPS signature, but 

Is there an official statement from Checkpoint for all of there products ?

Best regards,

Pierre

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to Patrice_Roggema

We're not vulnerable.

the_rock
MVP Platinum
MVP Platinum
Wednesday
In response to PhoneBoy

Excellent.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events