CVE-2025-55182: RCE in React Server Components
Bulletin ID: AWS-2025-030
Scope:
AWS
Content Type:
Important (requires attention)
Publication Date: 2025/12/03 19:45 PM PST
Description:
AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution (RCE) on affected applications servers.
AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182.
Regardless of whether customers are using a fully managed AWS service, if customers are running an affected version of React or Next.js in their environments, they should update to the latest patched versions immediately.
- Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1
- Customers using Next.js 15-16 with App Router should update to a patched version
The default version (1.24) of the AWS WAF "AWSManagedRulesKnownBadInputsRuleSet" now includes the updated rule for this issue. As an interim protection measure, customers can deploy a custom AWS WAF rule to help detect and prevent exploitation attempts where applicable. See "Adding a custom AWS WAF rule" below.
AWS is actively monitoring for updates on this issue. If you need additional details or assistance, please open an AWS Support case.
Adding a custom AWS WAF (Web Application Firewall) rule
To add defense-in-depth against this issue, you can deploy a custom AWS WAF rule. The following AWS WAF rule is currently set to BLOCK. We recommend testing this custom rule to ensure it does not cause disruptions in your environment.
.
{
"Name": "ReactJSRCE_CUSTOM",
"Priority": 99,
"Statement": {
"AndStatement": {
"Statements": [
{
"RegexMatchStatement": {
"RegexString": "POST",
"FieldToMatch": {
"Method": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "(?i)(?:next-action|rsc-action-id)",
"FieldToMatch": {
"Headers": {
"MatchPattern": {
"All": {}
},
"MatchScope": "KEY",
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "(?i)\"status\"\\s*:\\s*\"resolved_model\"",
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "URL_DECODE_UNI"
},
{
"Priority": 1,
"Type": "JS_DECODE"
},
{
"Priority": 2,
"Type": "UTF8_TO_UNICODE"
}
]
}
},
{
"RegexMatchStatement": {
"RegexString": "\\$\\@",
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "URL_DECODE_UNI"
},
{
"Priority": 1,
"Type": "JS_DECODE"
},
{
"Priority": 2,
"Type": "UTF8_TO_UNICODE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"RuleLabels": [
{
"Name": "ReactJSRCE_Custom"
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "ReactJS_Custom"
}
}Please email aws-security@amazon.com with any security questions or concerns.