React Server Components Critical Vulnerability (CVE-2025-55182)
Overview
On December 3, 2025, the React Team disclosed CVE-2025-55182 (“React2Shell”), a critical remote code execution (RCE) vulnerability in React Server Components (RSC). This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests. The vulnerability is present in default configurations of affected packages and frameworks, making standard deployments immediately exploitable.
Details
- Vulnerability: CVE-2025-55182 (“React2Shell”) – Critical RCE in React Server Components via unsafe deserialization of HTTP payloads.
- Severity: Maximum (CVSS 10.0)
- Attack Vector: Unauthenticated, remote; exploitation requires only a crafted HTTP request to a vulnerable web server.
- Impacted Versions:
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 15.x, 16.x, 14.3.0-canary.77 and later canary releases
- Affected packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Other frameworks/bundlers: React Router, Waku, Parcel, Vite, RedwoodSDK, and any third-party project bundling vulnerable react-server-dom-* packages.
- Impact: Successful exploitation can result in full server compromise, data loss, and lateral movement within systems. The vulnerability is actively being targeted by threat actors.
Discovery and Remediation Guidance
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit:
- Audit all web applications and services for use of React Server Components and affected frameworks.
- Identify any deployments running vulnerable versions listed above.
Patch Immediately:
- Upgrade React to patched versions: 19.0.1, 19.1.2, or 19.2.1.Upgrade Next.js to the latest stable patched versions (https://nextjs.org/blog/CVE-2025-66478)
- Update any affected packages and dependencies as per the official React blog (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
Mitigation:
- Apply web application firewall (WAF) rules to detect and block exploitation attempts (Cloudflare and Google Cloud have released temporary mitigations).
- Monitor network-layer traffic for anomalous HTTP requests that invoke Server Function / Server Action mechanisms
- Use available scanners to detect vulnerable deployments but prioritize patching as the definitive remediation.
Additional Resources:
Authors:
Explore More News
ChannelLife: Australian Retailers Face Holiday Surge in Cyber Scams & Threats
As retailers enter peak holiday shopping season, cybersecurity experts warn of escalating threats targeting retailers and consumers. Learn about common risks and ways to avoid them this holiday season.
NetSPI Named a Leader and Outperformer in the 2025 GigaOm Radar for Penetration Testing as a Service (PTaaS)
NetSPI named Leader and Outperformer in 2025 GigaOm Radar for PTaaS, recognized for innovation, growth, and platform excellence.
TechChannel: Why Mainframe Security Postures Vary So Widely
Why does the state of mainframe security vary so widely? NetSPI’s Phil Young reveals common gaps, from FTP and weak MFA to lax data access.