React Server Components Critical Vulnerability (CVE-2025-55182)
Overview
On December 3, 2025, the React Team disclosed CVE-2025-55182 (“React2Shell”), a critical remote code execution (RCE) vulnerability in React Server Components (RSC). This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests. The vulnerability is present in default configurations of affected packages and frameworks, making standard deployments immediately exploitable.
Details
- Vulnerability: CVE-2025-55182 (“React2Shell”) – Critical RCE in React Server Components via unsafe deserialization of HTTP payloads.
- Severity: Maximum (CVSS 10.0)
- Attack Vector: Unauthenticated, remote; exploitation requires only a crafted HTTP request to a vulnerable web server.
- Impacted Versions:
- React: 19.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 15.x, 16.x, 14.3.0-canary.77 and later canary releases
- Affected packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- Other frameworks/bundlers: React Router, Waku, Parcel, Vite, RedwoodSDK, and any third-party project bundling vulnerable react-server-dom-* packages.
- Impact: Successful exploitation can result in full server compromise, data loss, and lateral movement within systems. The vulnerability is actively being targeted by threat actors.
Discovery and Remediation Guidance
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit:
- Audit all web applications and services for use of React Server Components and affected frameworks.
- Identify any deployments running vulnerable versions listed above.
Patch Immediately:
- Upgrade React to patched versions: 19.0.1, 19.1.2, or 19.2.1.Upgrade Next.js to the latest stable patched versions (https://nextjs.org/blog/CVE-2025-66478)
- Update any affected packages and dependencies as per the official React blog (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components).
Mitigation:
- Apply web application firewall (WAF) rules to detect and block exploitation attempts (Cloudflare and Google Cloud have released temporary mitigations).
- Monitor network-layer traffic for anomalous HTTP requests that invoke Server Function / Server Action mechanisms
- Use available scanners to detect vulnerable deployments but prioritize patching as the definitive remediation.
Additional Resources:
Authors:
Explore More News
NetSPI Expands Suite of AI-Powered Continuous Pentesting Services as Organizational Attack Surfaces Grow
NetSPI expands suite of Human-Led, AI-Powered Continuous Pentesting Services, including a first-of-its-kind AI Findings Validation service, as well as continuous testing for web applications and internal networks.
AI’s Role in the Next Era of Pentesting
This article discusses how AI can accelerate penetration testing, but without human expertise to validate findings and apply business context, organizations risk confusing faster output with stronger security.
Why Continuous Security Validation is Becoming a Security Imperative
CTO Magazine interviewed NetSPI's Field CISO, Nabil Hannan, for a June 11, 2026, article about how cloud-native architectures, continuous deployment pipelines, APIs, and AI-assisted development have accelerated change across enterprise environments.