React Server Componentsの脆弱性CVE-2025-55182を緩和するルールがAWS WAFのマネージドルール"AWSManagedRulesKnownBadInputsRuleSet"に追加されました
2025.12.04
React Server Components の脆弱性(CVE-2025-55182)
Vercel社より、以下のブログ記事が公開されました。
上流のReact Server Componentsの脆弱性(CVE-2025-55182)に起因してNext.jsのバージョンアップを促す内容ですが、本脆弱性はCVSS 10.0となっております。
AWS WAFによる緩和
この脆弱性に起因するリスクを緩和するためのルールがAWS WAFのマネージドルールグループ AWSManagedRulesKnownBadInputsRuleSet に追加されていました。
ルール名は ReactJSRCE_BODY となっております。
aws wafv2 describe-managed-rule-group \
--vendor-name "AWS" \
--name "AWSManagedRulesKnownBadInputsRuleSet" \
--scope "REGIONAL"
$ aws wafv2 describe-managed-rule-group --vendor-name "AWS" --name "AWSManagedRulesKnownBadInputsRuleSet" --scope "REGIONAL"
{
"SnsTopicArn": "arn:aws:sns:us-east-1:248400274283:aws-managed-waf-rule-notifications",
"Capacity": 200,
"Rules": [
{
"Name": "JavaDeserializationRCE_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_QUERYSTRING",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "Host_localhost_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "PROPFIND_METHOD",
"Action": {
"Block": {}
}
},
{
"Name": "ExploitablePaths_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_QUERYSTRING",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_HEADER",
"Action": {
"Block": {}
}
},
{
+ "Name": "ReactJSRCE_BODY",
"Action": {
"Block": {}
}
}
],
"AvailableLabels": [
{
"Name": "awswaf:managed:aws:known-bad-inputs:Host_Localhost_Header"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_QueryString"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QueryString"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_Header"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Header"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Propfind_Method"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body"
},
{
+ "Name": "awswaf:managed:aws:known-bad-inputs:ReactJSRCE_Body"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body"
}
]
}
ちなみに、前のバージョン( Version_1.22 )にはこのルールが含まれていないことが確認できます。
( Version_1.23 は欠番のようです。最新は Version_1.24 )
aws wafv2 describe-managed-rule-group \
--vendor-name "AWS" \
--name "AWSManagedRulesKnownBadInputsRuleSet" \
--scope "REGIONAL" \
--version-name "Version_1.22"
{
"VersionName": "Version_1.22",
"SnsTopicArn": "arn:aws:sns:us-east-1:248400274283:aws-managed-waf-rule-notifications",
"Capacity": 200,
"Rules": [
{
"Name": "JavaDeserializationRCE_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_QUERYSTRING",
"Action": {
"Block": {}
}
},
{
"Name": "JavaDeserializationRCE_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "Host_localhost_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "PROPFIND_METHOD",
"Action": {
"Block": {}
}
},
{
"Name": "ExploitablePaths_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_QUERYSTRING",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "Log4JRCE_HEADER",
"Action": {
"Block": {}
}
}
],
"AvailableLabels": [
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_QueryString"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_Header"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Host_Localhost_Header"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:Propfind_Method"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QueryString"
},
{
"Name": "awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Header"
}
]
}
管理するシステムでこの脆弱性の影響を受ける場合、バージョンアップして根本的な対処をするかAWS WAF等を利用して問題を緩和しましょう。
ただし、AWS WAFでできることはあくまでも「緩和」です。可能な限り速やかにバージョンアップしましょう。
(補足)Vercelでホストされているプロジェクトについて
以下の記事の通り、すでにWAFによって保護されているとのことです。
参考情報
- AWS Managed Rules changelog
- 本記事の執筆時点では未反映
現場からは以上です。
