Impart has deployed new protection for CVE-2025-55182, a critical remote code execution vulnerability affecting React Server Components (RSC) and frameworks such as Next.js and React Router. This protection also addresses related vulnerability CVE-2025-66478 which is related.
All Impart customers are protected immediately. This rule is part of our CVE Protection ruleset and is enabled by default across all environments.
What you need to know
A recently disclosed vulnerability in React’s server component runtime allows attackers to send crafted payloads that can trigger unsafe deserialization on the server. Applications using React 19.0 through 19.2.0 or affected frameworks may be exposed even if they do not explicitly use Server Functions.
Impart has released an update to our default CVE Protection ruleset that identifies and blocks malicious RSC exploitation attempts inline. This coverage is active across all Impart-managed ingress paths and requires no customer configuration.
We strongly recommend customers still upgrade to the patched versions of React and Next.js as advised by the React team.
How the Impart rule works
CVE-2025-55182 is unusual because exploitation attempts closely resemble legitimate React Flight protocol traffic. There is no single signature or pattern that cleanly distinguishes malicious payloads from valid RSC requests. Effective protection requires behavioral analysis rather than static matching.
Impart’s detection engine applies a multi-factor approach designed for this class of vulnerability. The rule evaluates multiple request dimensions, including body, headers, and query parameters, to identify combinations of signals that together indicate malicious intent. These include protocol-level anomalies, suspicious serialization patterns, and indicators associated with unsafe API access or obfuscation techniques.
Instead of relying on a single “smoking gun,” the rule applies a confidence-based model. When multiple strong signals appear together, the request is flagged and blocked with high confidence. When a single weaker signal is observed, the request is logged for visibility without affecting user traffic. This reduces false positives while preserving precise detection of real exploit attempts.
This approach gives customers protection that is both sophisticated and safe for production workloads.
How Impart shipped protection quickly
Impart’s WASM-based rule engine lets us publish new protections in minutes. Rules are written in AssemblyScript, tested in simulation, and deployed through CI/CD with zero downtime. Each inspector compiles the updated WASM ahead of time, ensuring fast, deterministic enforcement at sub-10 ms latency.
What happens next
Impart will continue monitoring for exploit variations or evasions. Because this vulnerability involves unsafe deserialization, attackers may experiment with alternate payload shapes or encodings. Our team can update protections quickly as new patterns emerge.
If you have questions about your exposure or need help assessing your applications, your Impart representative can assist.
Protecting modern applications at runtime
Impart delivers runtime protection for applications, APIs, and AI interfaces at the speed modern teams operate. We help organizations discover exposure, govern posture, and block real threats without slowing down engineering.
To learn more about how Impart protects applications in production, visit www.impart.ai. If you are interested in joining our mission to modernize runtime security, explore opportunities on our careers page.