React Server Components Critical Vulnerability (CVE-2025-55182)
Overview
On December 3, 2025, the React Team disclosed CVE-2025-55182 (“React2Shell”), a critical remote code execution (RCE) vulnerability in React Server Components (RSC). This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests. The vulnerability is present in default configurations of affected packages and frameworks, making standard deployments immediately exploitable.
Details
- Vulnerability: CVE-2025-55182 (“React2Shell”) – Critical RCE in React Server Components via unsafe deserialization of HTTP payloads.
- Severity: Maximum (CVSS 10.0)
- Attack Vector: Unauthenticated, remote; exploitation requires only a crafted HTTP request to a vulnerable web server.
- Impacted Versions:
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 15.x, 16.x, 14.3.0-canary.77 and later canary releases
- Affected packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Other frameworks/bundlers: React Router, Waku, Parcel, Vite, RedwoodSDK, and any third-party project bundling vulnerable react-server-dom-* packages.
- Impact: Successful exploitation can result in full server compromise, data loss, and lateral movement within systems. The vulnerability is actively being targeted by threat actors.
Discovery and Remediation Guidance
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit:
- Audit all web applications and services for use of React Server Components and affected frameworks.
- Identify any deployments running vulnerable versions listed above.
Patch Immediately:
- Upgrade React to patched versions: 19.0.1, 19.1.2, or 19.2.1.Upgrade Next.js to the latest stable patched versions (https://nextjs.org/blog/CVE-2025-66478)
- Update any affected packages and dependencies as per the official React blog (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
Mitigation:
- Apply web application firewall (WAF) rules to detect and block exploitation attempts (Cloudflare and Google Cloud have released temporary mitigations).
- Monitor network-layer traffic for anomalous HTTP requests that invoke Server Function / Server Action mechanisms
- Use available scanners to detect vulnerable deployments but prioritize patching as the definitive remediation.
Additional Resources:
Authors:
Explore More News
Proof Over Promises: A New Doctrine for Cybersecurity
As cyberattacks grow in frequency and sophistication, traditional assurances like contracts and certifications are no longer sufficient. Instead, vendors must actively demonstrate their security resilience through measurable and continuous validation, such as penetration testing. This proactive approach not only strengthens vendor-customer relationships but also mitigates risks in an increasingly interconnected and vulnerable digital landscape.
The Age of Promises is Over, Vendors Must Now Lead with Evidence-Based Assurances
In today’s evolving cyber threat landscape, traditional vendor assurances like contracts and periodic audits are no longer sufficient. Sam Kirkman emphasizes the need for vendors to shift from trust-based compliance to evidence-based security, where measurable and continuous validation replaces outdated promises.
NetSPI Redefines Pentesting with New User Experience
NetSPI, the global leader in modern penetration testing, today announced a new, modern user experience for the NetSPI platform, reimagining what penetration testing should feel like for today’s enterprise: focused, fast, and easy.