Evidence of CVE-2025-55182 Exploitation attempts

#nextjs #react #security #vulnerabilities

I'm a solo developer running a small Next.js 15 app in beta. Not a security researcher, I just happened to be at the wrong place at the right time.

Timeline

Dec 3, 2025: CVE-2025-55182 disclosed (CVSS 10.0 RCE in React Server Components)
Dec 3, 2025 ~19:33 UTC: First exploit attempts hit my server
Less than 12 hours from disclosure to active scanning

My app has zero SEO and virtually no traffic. So if I got hit, there is a good chance larger platforms did as well.

What I observed

In my logs I saw what appeared to be three separate attackers, different IPs and techniques:

Attacker 1 (Dec 3 ~19:33 UTC) — Rapid-fire probing + exploit attempts

90+ GET requests to /login within seconds
Switched to POST requests (the actual exploit payloads)
Empty User-Agent
Origin: Asia-Southeast

Attacker 2? (Dec 4 ~06:37 UTC) — Reconnaissance (maybe)

Probing /config.json, /robots.txt, /sitemap.xml, /.env, /.git/config
Spoofed browser User-Agent
Origin: US-West

Attacker 3 (Dec 4 ~07:26 UTC) — CVE-2025-55182 exploit attempt

Targeted /login and /formaction
User-Agent: CVE-2025-55182-Exploit/12.0
Next-Action: true header (targeting Server Actions)
Origin: Asia-Southeast
Multiple POST requests with ~1000 byte payloads

My Analysis

Every request returned 404, 500, or 307, and after thorough investigation it didn't seem they were able to successfully execute any code.

307 (Redirect): My middleware intercepted requests to unknown paths and redirected them before they reached any Server Action. The payload never got to the vulnerable RSC deserialization layer.
404 (Not Found): The routes they targeted (/login, /formaction) don't exist on this app.
500 (Server Error): Requests crashed with "Connection closed" before completing.

IMPORTANT: At this point in time Cloudflare didn't block anything, it passed straight through. My own middleware was the only protection. But quite frankly this was pure luck.