Evidence of CVE-2025-55182 Exploitation attempts

Source: Dev.to

Timeline

• Dec 3, 2025: CVE‑2025‑55182 disclosed (CVSS 10.0 RCE in React Server Components)
• Dec 3, 2025 ~19:33 UTC: First exploit attempts hit my server – less than 12 hours from disclosure to active scanning.

My app has zero SEO and virtually no traffic, so if I got hit, larger platforms likely did as well.

What I observed

In my logs I saw three separate attackers, different IPs and techniques:

Attacker 1 (Dec 3 ~19:33 UTC) – Rapid‑fire probing + exploit attempts

• 90+ GET requests to /login within seconds
• Switched to POST requests (the actual exploit payloads)
• Empty User‑Agent
• Origin: Asia‑Southeast

Attacker 2? (Dec 4 ~06:37 UTC) – Reconnaissance (maybe)

• Probing /config.json, /robots.txt, /sitemap.xml, /.env, /.git/config
• Spoofed browser User‑Agent
• Origin: US‑West

Attacker 3 (Dec 4 ~07:26 UTC) – CVE‑2025‑55182 exploit attempt

• Targeted /login and /formaction
• User‑Agent: CVE-2025-55182-Exploit/12.0
• Header Next-Action: true (targeting Server Actions)
• Origin: Asia‑Southeast
• Multiple POST requests with ~1000‑byte payloads

My Analysis

Every request returned 404, 500, or 307, and none succeeded in executing code.

• 307 (Redirect): My middleware intercepted requests to unknown paths and redirected them before they reached any Server Action. The payload never reached the vulnerable RSC deserialization layer.
• 404 (Not Found): The targeted routes (/login, /formaction) do not exist in this app.
• 500 (Server Error): Requests crashed with “Connection closed” before completing.

Important: At the time, Cloudflare did not block anything; it passed traffic straight through. My own middleware was the only protection—pure luck.

Closing

The Snyk advisory states “no exploitation in the wild has been publicly confirmed.” This post serves as that confirmation.

If a tiny, unknown app was sprayed within hours of disclosure, production apps are likely being scanned right now. Patch immediately!