React Server Components Critical Vulnerability (CVE-2025-55182)
Overview
On December 3, 2025, the React Team disclosed CVE-2025-55182 (“React2Shell”), a critical remote code execution (RCE) vulnerability in React Server Components (RSC). This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests. The vulnerability is present in default configurations of affected packages and frameworks, making standard deployments immediately exploitable.
Details
- Vulnerability: CVE-2025-55182 (“React2Shell”) – Critical RCE in React Server Components via unsafe deserialization of HTTP payloads.
- Severity: Maximum (CVSS 10.0)
- Attack Vector: Unauthenticated, remote; exploitation requires only a crafted HTTP request to a vulnerable web server.
- Impacted Versions:
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 15.x, 16.x, 14.3.0-canary.77 and later canary releases
- Affected packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Other frameworks/bundlers: React Router, Waku, Parcel, Vite, RedwoodSDK, and any third-party project bundling vulnerable react-server-dom-* packages.
- Impact: Successful exploitation can result in full server compromise, data loss, and lateral movement within systems. The vulnerability is actively being targeted by threat actors.
Discovery and Remediation Guidance
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit:
- Audit all web applications and services for use of React Server Components and affected frameworks.
- Identify any deployments running vulnerable versions listed above.
Patch Immediately:
- Upgrade React to patched versions: 19.0.1, 19.1.2, or 19.2.1.Upgrade Next.js to the latest stable patched versions (https://nextjs.org/blog/CVE-2025-66478)
- Update any affected packages and dependencies as per the official React blog (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
Mitigation:
- Apply web application firewall (WAF) rules to detect and block exploitation attempts (Cloudflare and Google Cloud have released temporary mitigations).
- Monitor network-layer traffic for anomalous HTTP requests that invoke Server Function / Server Action mechanisms
- Use available scanners to detect vulnerable deployments but prioritize patching as the definitive remediation.
Additional Resources:
Authors:
Explore More News
When AI Starts Taking Action, Security Needs to Think Differently
CIO Influence interviewed NetSPI's Field CISO, Nabil Hannan, for an April 6, 2026 article about how AI systems are evolving from generating outputs to taking autonomous actions, amplifying existing vulnerabilities and requiring organizations to adopt proactive security measures and robust governance to mitigate risks.
Minneapolis Cybersecurity Firm NetSPI Eyes $80M-Plus Acquisitions to Fuel AI Push
Minneapolis/St. Paul Business Jounral interviewed NetSPI's President and CEO, Aaron Shilts, for an April 1, 2026 article about NetSPI pursuing acquisitions to expand its AI capabilities, enhance customer offerings, and maintain sustainable growth among evolving industry demands.
March 31 is World Backup Day. Here’s How to Protect Your Data Now
Forbes interviewed NetSPI's Field CISO, Nabil Hannan, for a March 31, 2026 article about World Backup Day and the importance of protecting data.