Please subscribe to this blog as we will be updating the suggested rules as new attack permutations are found.
On December 3, 2025, the React team disclosed a critical remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. The vulnerability allows an unauthenticated attacker to send a specially crafted request to an RSC “Server Function” endpoint and potentially execute arbitrary code on the server.
This vulnerability affects applications using React RSC in the following versions:
- 19.0.0
- 19.1.0
- 19.1.1
- 19.2.0
Patched versions are available, and all customers are strongly encouraged to update immediately.
About CVE-2025-55182
According to the React security advisory, the issue stems from unsafe deserialization within React Server Components, where server function payloads were not adequately validated. When exploited, an attacker can execute arbitrary code on the server without authentication.
The NVD entry classifies this vulnerability as Critical, with a CVSS score of 10.0, due to its ease of exploitation and the potential impact on server-side execution.
All organizations using React Server Components — or frameworks that embed RSC capabilities such as Next.js, React Router (RSC mode), Waku, @parcel/rsc, @vitejs/plugin-rsc, or rwsdk — should consider themselves potentially exposed until the relevant patches are applied.
Azure WAF Mitigation to CVE-2025-55182
The primary and most effective mitigation for this vulnerability is to upgrade any unpatched React versions to the latest security-patched releases.
Mitigation on WAF on Application Gateway or Application Gateway for Containers
If you are using the latest and recommended ruleset Default Rule Set (DRS) 2.1, a new CVE-specific rule has been added to Azure WAF on Application Gateway and Application Gateway for Containers. Ensure that this rule remains enabled and retains its default Anomaly Score action.
- Rule ID: 99001018
- Rule Description: Attempted React2Shell remote code execution exploitation (CVE-2025-55182)
If you are using an older ruleset version such as CRS 3.2, CRS 3.1, or CRS 3.0, it is strongly recommended to upgrade to DRS 2.1. If upgrading is not currently possible, you can create custom WAF rules to detect this exploit pattern. These custom rules are configured with a Block action. We recommend validating them in a test or staging environment before enforcing them in production.
Custom rules definition for WAF on Application Gateway and Application Gateway for Containers:
"customRules": [
{
"name": "cve202555182",
"priority": 1,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "PostArgs"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"transforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
},
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "next-action"
}
],
"operator": "Any",
"negationConditon": false,
"matchValues": [],
"transforms": []
}
],
"skippedManagedRuleSets": [],
"state": "Enabled"
},
{
"name": "cve202555182ver2",
"priority": 100,
"ruleType": "MatchRule",
"action": "Block",
"matchConditions": [
{
"matchVariables": [
{
"variableName": "PostArgs"
}
],
"operator": "Contains",
"negationConditon": false,
"matchValues": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"transforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
},
{
"matchVariables": [
{
"variableName": "RequestHeaders",
"selector": "rsc-action-id"
}
],
"operator": "Any",
"negationConditon": false,
"matchValues": [],
"transforms": []
}
],
"skippedManagedRuleSets": [],
"state": "Enabled"
}
],If your Azure WAF is configured with an older ruleset version, such as CRS 2.2.9, CRS 3.0, or CRS 3.1, adding these custom rules may fail if your WAF runs on the old WAF engine. In this case, we strongly recommend upgrading your WAF policy to the next-generation WAF engine by moving to a newer ruleset: either to the latest DRS 2.1 which includes the built-in managed rule (preferred) or to the previous CRS 3.2, then apply the custom rules described above.
If upgrading your ruleset version is not an option, and your WAF remains on the old WAF engine, you can instead use the following alternative rules:
"CustomRules": [
{
"Name": "cve202555182",
"Priority": 1,
"RuleType": "MatchRule",
"MatchConditions": [
{
"MatchVariables": [
{
"VariableName": "PostArgs"
}
],
"Operator": "Contains",
"MatchValues": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"Transforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
},
{
"MatchVariables": [
{
"VariableName": "RequestHeaders",
"Selector": "next-action"
}
],
"Operator": "Regex",
"MatchValues": [
"."
],
"Transforms": []
}
],
"Action": "Block"
},
{
"Name": "cve202555182ver2",
"Priority": 2,
"RuleType": "MatchRule",
"MatchConditions": [
{
"MatchVariables": [
{
"VariableName": "PostArgs"
}
],
"Operator": "Contains",
"MatchValues": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"ATransforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
},
{
"MatchVariables": [
{
"VariableName": "RequestHeaders",
"Selector": "rsc-action-id"
}
],
"Operator": "Regex",
"MatchValues": [
"."
],
"Transforms": []
}
],
"Action": "Block"
}
]Mitigation for WAF on Azure Front Door:
If you are using WAF on Azure Front Door, you can create custom WAF rules to detect this exploit pattern. These custom rules are configured with a Block action. We recommend validating them in a test or staging environment before enforcing them in production.
"customRules": [
{
"name": "cve202555182",
"enabledState": "Enabled",
"priority": 1,
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 100,
"matchConditions": [
{
"matchVariable": "RequestHeader",
"selector": "next-action",
"operator": "Any",
"negateCondition": false,
"matchValue": [],
"transforms": []
},
{
"matchVariable": "RequestHeader",
"selector": "content-type",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"multipart/form-data",
"application/x-www-form-urlencoded"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariable": "RequestBody",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"transforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
}
],
"action": "Block",
"groupBy": []
},
{
"name": "cve202555182ver2",
"enabledState": "Enabled",
"priority": 2,
"ruleType": "MatchRule",
"rateLimitDurationInMinutes": 1,
"rateLimitThreshold": 100,
"matchConditions": [
{
"matchVariable": "RequestHeader",
"selector": "rsc-action-id",
"operator": "Any",
"negateCondition": false,
"matchValue": [],
"transforms": []
},
{
"matchVariable": "RequestHeader",
"selector": "content-type",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"multipart/form-data",
"application/x-www-form-urlencoded"
],
"transforms": [
"Lowercase"
]
},
{
"matchVariable": "RequestBody",
"operator": "Contains",
"negateCondition": false,
"matchValue": [
"constructor",
"__proto__",
"prototype",
"_response"
],
"transforms": [
"Lowercase",
"UrlDecode",
"RemoveNulls"
]
}
],
"action": "Block",
"groupBy": []
}
]
You can find more information about Custom Rules on Azure WAF for Application Gateway here or for Azure Front Door here.
Changelog
- 12/20/2025 11:00 PST - Updated built-in managed rule on WAF for Application Gateway and Application Gateway for Containers
- 12/7/2025 23:30 PST - Updated custom rules to detect additional attack permutation
- 12/5/2025 17:45 PST - Updated custom rules to include additional transform "RemoveNulls".
Microsoft