Critical Vulnerabilities in React and Next.js: CVE-2025-55182

    Friday, December 5, 2025 In: Threat Research Print

    Date: 12/05/2025

    Severity: Critical

    Summary

    CVE-2025-55182 is a critical prototype-pollution vulnerability affecting React Server Components (RSC) and Next.js Server Actions. Attackers can inject special object-manipulation properties—such as __proto__ or constructor—into RSC headers, parameters, or JSON request bodies. When these polluted objects are processed during React Flight or Server Action serialization, they can corrupt internal application state and potentially achieve remote code execution. Security detections focus on identifying these malicious keys in both clear-text and escaped JSON forms, especially when paired with RSC or Server Action indicators like Next-Action headers.

    Indicators of Compromise (IOC) List

    Request method

    POST

    http_headers

    RSC: 1

    Next-Action

    cs-uri-query

    _rsc=

    http_content_type

    text/x-component

    request_body

    __proto__

    "constructor"

    "prototype"

    '\u005f\u005fproto\u005f\u005f

    '\\u005f\\u005fproto\\u005f\\u005f'

    sc-status

    500

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    datasourcename in ("Proxy") AND (httpheaders like "RSC: 1" AND csuriquery like "_rsc=" AND httpcontenttype like "text/x-component") AND (requestbody like "__proto__" OR (requestbody like "\"constructor"\" OR requestbody like "\"prototype"\" OR requestbody like "\u005f\u005fproto\u005f\u005f" OR requestbody like "\\u005f\\u005fproto\\u005f\\u005f"))

    Detection Query 2 :

    datasourcename in ("Proxy") AND (httpheaders like "RSC: 1" AND csuriquery like "_rsc=" AND httpcontenttype like "text/x-component") AND scstatus = "500" AND (requestbody like "__proto__" OR (requestbody like "\"constructor"\" OR requestbody like "\"prototype"\" OR requestbody like "\u005f\u005fproto\u005f\u005f" OR requestbody like "\\u005f\\u005fproto\\u005f\\u005f"))

    Detection Query 3 :

    datasourcename in ("Proxy") AND ((httpheaders like "Next-Action" OR httpheaders like "RSC: 1") AND requestmethod = "POST") AND (requestbody like "\"__proto__"\" OR requestbody like "\u005f\u005fproto\u005f\u005f" OR requestbody like "\\u005f\\u005fproto\\u005f\\u005f" OR requestbody like "\"constructor"\" OR requestbody like "\"prototype"\")

    Detection Query 4 :

    datasourcename in ("Proxy") AND requestmethod = "POST" AND ((httpheaders like "Next-Action" or httpheaders like "RSC: 1") AND csuriquery like "_rsc=" AND httpcontenttype like "text/x-component") AND (requestbody like "\"__proto__"\" OR requestbody like "\"constructor"\" OR requestbody like "\"prototype"\" OR requestbody like "\u005f\u005fproto\u005f\u005f" OR requestbody like "\u0063\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072")


    Tags

    VulnerabilityCVE-2025React jsNext.js

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.