CISA has added CVE-2025-55182, dubbed React2Shell, to its Known Exploited Vulnerabilities (KEV) catalog due to confirmed active exploitation.
This critical remote code execution flaw affects React Server Components and related frameworks.
React2Shell (CVE-2025-55182) carries a CVSS score of 10.0, enabling unauthenticated attackers to execute arbitrary code on servers.
The issue arises from insecure deserialization in React’s Flight protocol, used for server-client communication in React Server Components (RSC).
Attackers send crafted HTTP requests to RSC endpoints, exploiting how React decodes payloads specifically, mishandling object references with operators like $@, $B, and $n in multipart/form-data payloads.
Affected software includes React versions 19.0.0 through 19.2.0, as well as libraries such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
Downstream impacts hit Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK under default setups.
| Detail | Information |
|---|---|
| CVE ID | CVE-2025-55182 |
| CVSS Score | 10.0 (Critical) |
| CWE | N/A (Deserialization flaw) |
| Date Added to KEV | 2025-12-05 |
| Due Date | 2025-12-12 |
| Affected Products | React Server Components 19.0.0-19.2.0; Next.js etc. |
| Patched Versions | 19.0.1, 19.1.2, 19.2.1 |
| Exploitation Status | Active in wild |
CISA urges applying vendor patches, following BOD 22-01 for cloud services, or discontinuing unpatched products.
Exploitation surged post-disclosure on December 3, 2025, with PoCs released by researcher Lachlan Davidson and others like maple3142.
Threat actors, including China-nexus groups (Earth Lamia, UNC5174), scan for vulnerable RSC endpoints, deploy cryptominers, steal AWS credentials, and install backdoors like Noodle RAT or Cobalt Strike.
Unit 42 observed over 30 victims across sectors, with attacks that used reconnaissance, downloaders, and in-memory shells that avoid disk writes.
Censys reports ~2.15 million exposed instances; Shadowserver found 28,964 vulnerable IPs as of December 7. Federal agencies must patch by December 26 per BOD 22-01.
Mitigate by upgrading React libraries immediately, blocking untrusted RSC requests via WAFs, and hunting for indicators like anomalous Flight payloads.
Scan environments for CVSS 10.0 matches and monitor for post-exploitation activities, such as PowerShell stagers.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…