The Reveal Platform
Intel Name: Critical vulnerabilities in react and next.js: cve-2025-55182
Date of Scan: December 5, 2025
Impact: High
Summary: CVE-2025-55182 is a critical prototype-pollution vulnerability affecting React Server Components (RSC) and Next.js Server Actions. Attackers can inject special object-manipulation properties—such as __proto__ or constructor—into RSC headers, parameters, or JSON request bodies. When these polluted objects are processed during React Flight or Server Action serialization, they can corrupt internal application state and potentially achieve remote code execution. Security detections focus on identifying these malicious keys in both clear-text and escaped JSON forms, especially when paired with RSC or Server Action indicators like Next-Action headers.
