On December 3, 2025, the React team disclosed a critical remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. The vulnerability allows an unauthenticated attacker to send a specially crafted request to an RSC “Server Function” endpoint and potentially execute arbitrary code on the server.
This vulnerability affects applications using React RSC in the following versions:
- 19.0.0
- 19.1.0
- 19.1.1
- 19.2.0
Patched versions are available, and all customers are strongly encouraged to update immediately.
About CVE-2025-55182
According to the React security advisory, the issue stems from unsafe deserialization within React Server Components, where server function payloads were not adequately validated. When exploited, an attacker can execute arbitrary code on the server without authentication.
The NVD entry classifies this vulnerability as Critical, with a CVSS score of 10.0, due to its ease of exploitation and the potential impact on server-side execution.
All organizations using React Server Components — or frameworks that embed RSC capabilities such as Next.js, React Router (RSC mode), Waku, @parcel/rsc, @vitejs/plugin-rsc, or rwsdk — should consider themselves potentially exposed until the relevant patches are applied.
Azure WAF Mitigation to CVE-2025-55182
The primary and most effective mitigation for this vulnerability is to upgrade any unpatched React versions to the latest security-patched releases.
Add a custom WAF rule to mitigate CVE-2025-55182
If you wish to apply a CVE-specific mitigation, you can create custom WAF rules tailored to detect this exploit pattern.
The custom rules action is configured to Block, so we recommend validating them in a test or staging environment before enforcing it in production.
Custom rules definition for WAF on Application Gateway and Application Gateway for Containers:
"customRules": [
{
"name": "cve202555182",
"priority": 1,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "PostArgs"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"constructor:",
"__proto__:",
"prototype:",
"_response:"
],
"transforms": [
"Lowercase",
"UrlDecode"
]
},
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "next-action"
}
],
"operator": "Any",
"negationConditon": false,
"matchValues": [],
"transforms": []
}
],
"skippedManagedRuleSets": [],
"state": "Enabled"
},
{
"name": "cve202555182ver2",
"priority": 100,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "PostArgs"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"constructor:",
"__proto__:",
"prototype:",
"_response:"
],
"transforms": [
"Lowercase",
"UrlDecode"
]
},
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "rsc-action-id"
}
],
"operator": "Any",
"negationConditon": false,
"matchValues": [],
"transforms": []
}
],
"skippedManagedRuleSets": [],
"state": "Enabled"
}
],
If your Azure WAF is configured with an older ruleset version, such as CRS 2.2.9, CRS 3.0, or CRS 3.1, adding this custom rule may fail. In this case, we strongly recommend upgrading your WAF policy to the next-generation WAF engine by moving to a newer ruleset: either the latest DRS 2.1 (preferred) or the previous CRS 3.2. Once upgraded, you can apply the custom rule described above.
If upgrading your ruleset version is not an option, you can instead use the following alternative rule:
"CustomRules": [
{
"Name": "cve202555182",
"Priority": 1,
"RuleType": "MatchRule",
"MatchConditions": [
{
"MatchVariables": [
{
"VariableName": "PostArgs"
}
],
"Operator": "Contains",
"MatchValues": [ "constructor:",
"__proto__:",
"prototype:",
"_response:" ],
"Transforms": [ "Lowercase", "UrlDecode"]
},
{
"MatchVariables": [
{
"VariableName": "RequestHeaders",
"Selector": "next-action"
}
],
"Operator": "Regex",
"MatchValues": ["."],
"Transforms": [ ]
}
],
"Action": "Block"
},
{
"Name": "cve202555182ver2",
"Priority": 2,
"RuleType": "MatchRule",
"MatchConditions": [
{
"MatchVariables": [
{
"VariableName": "PostArgs"
}
],
"Operator": "Contains",
"MatchValues": [ "constructor:",
"__proto__:",
"prototype:",
"_response:" ],
"Transforms": [ "Lowercase", "UrlDecode"]
},
{
"MatchVariables": [
{
"VariableName": "RequestHeaders",
"Selector": "rsc-action-id"
}
],
"Operator": "Regex",
"MatchValues": ["."],
"Transforms": [ ]
}
],
"Action": "Block"
}
]
Custom rules definition for WAF on Azure Front Door:
"customRules" :[
{
"name": "cve202555182",
"enabledState": "Enabled",
"priority": 1,
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 100,
"matchConditions": [
{
"matchVariable": "RequestHeader",
"selector": "next-action",
"operator": "Any",
"negateCondition": false,
"matchValue": [],
"transforms": []
},
{
"matchVariable": "RequestHeader",
"selector": "content-type",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"multipart/form-data",
"application/x-www-form-urlencoded"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariable": "RequestBody",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"constructor:",
"__proto__:",
"prototype:",
"_response:"
],
"transforms": [
"Lowercase",
"UrlDecode"
]
}
],
"action": "Block",
"groupBy": []
},
{
"name": "cve202555182ver2",
"enabledState": "Enabled",
"priority": 2,
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 100,
"matchConditions": [
{
"matchVariable": "RequestHeader",
"selector": "rsc-action-id",
"operator": "Any",
"negateCondition": false,
"matchValue": [],
"transforms": []
},
{
"matchVariable": "RequestHeader",
"selector": "content-type",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"multipart/form-data",
"application/x-www-form-urlencoded"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariable": "RequestBody",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"constructor:",
"__proto__:",
"prototype:",
"_response:"
],
"transforms": [
"Lowercase",
"UrlDecode"
]
}
],
"action": "Block",
"groupBy": []
}
] Built-in protection with Default Rule Set (DRS) 2.1
Azure WAF’s latest Default Rule Set, DRS 2.1, is able to detect some exploitation attempts related to CVE-2025-55182. In some cases, you may see detections raised by SQL injection rules, even though this CVE is not an SQL injection vulnerability. However, for full mitigation, it is required deploy the dedicated CVE-specific custom rules.
You can find more information about Custom Rules on Azure WAF for Application Gateway here or for Azure Front Door here.
Microsoft