React2Shell: The CVSS 10.0 That Hit 85,000 Servers
CVE-2025-55182 turned React Server Components into a one-request RCE. Nation-states and criminals moved within hours.
On this page
December 3rd, 2025. React publishes a security advisory. Within hours, threat actors from at least three countries are exploiting it.
CVE-2025-55182 - dubbed “React2Shell” - is an unauthenticated RCE in React Server Components. CVSS 10.0. One HTTP request. No login required. Default configurations vulnerable.
If your app uses React 19 with Server Components, this applies to you.
What’s Broken
The vulnerability lives in React’s Server Components architecture, specifically the “Flight” protocol that handles communication between server and client.
The flaw: unsafe deserialization of HTTP request payloads sent to Server Function endpoints.
When React receives a POST request to a Server Function, it deserializes the payload without proper validation. An attacker can craft a malicious payload that, when deserialized, executes arbitrary code on the server.
No authentication. No user interaction. No special privileges. Just network access to the application.
Affected packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Vulnerable versions:
| React Version | Status |
|---|---|
| 19.0.0 | Vulnerable |
| 19.1.0 | Vulnerable |
| 19.1.1 | Vulnerable |
| 19.2.0 | Vulnerable |
Fixed versions: 19.0.1, 19.1.2, 19.2.1
Here’s what makes this particularly nasty: even apps without explicit Server Function endpoints are vulnerable if they support React Server Components. A standard create-next-app build is exploitable without any custom settings.
The Timeline
| Date | Event |
|---|---|
| Nov 29, 2025 | Lachlan Davidson reports to Meta Bug Bounty |
| Nov 30, 2025 | Meta confirms; React team starts fix |
| Dec 1, 2025 | Fix ready; coordination with hosting providers begins |
| Dec 3, 2025 | Patch released; public disclosure |
| Dec 3, 2025 | Exploitation begins within hours |
| Dec 4, 2025 | Multiple PoCs published; mass scanning starts |
| Dec 5, 2025 | CISA adds to KEV catalog |
| Dec 12, 2025 | CISA remediation deadline |
Four days from disclosure to CISA mandate. That’s how fast this escalated.
Who’s Exploiting It
Google Threat Intelligence, Amazon, and Unit 42 all published reports on the exploitation activity. The picture isn’t pretty.
Nation-state groups:
- China-nexus actors (Earth Lamia, Jackpot Panda) were active within hours of disclosure
- CL-STA-1015, an initial access broker with suspected ties to PRC’s Ministry of State Security
Criminal operators:
- Ransomware initial access brokers
- Cryptomining operations
- Opportunistic mass scanners
Observed post-exploitation:
- MINOCAT tunneler deployment
- SNOWLIGHT downloader
- HISONIC backdoor
- COMPOOD backdoor
- VShell Trojans (fileless execution via curl/wget)
- XMRIG cryptocurrency miners
- Cobalt Strike beacons
VulnCheck’s canary network detected thousands of exploit attempts in the first week. The exploit has near-100% reliability against default configurations.
Why This One Matters
A few things make React2Shell stand out:
Scale. React is everywhere. Next.js alone powers millions of sites. Conservative estimates put 85,000+ vulnerable instances on the public internet at disclosure. The actual number is probably higher.
Simplicity. One HTTP request. No authentication. Default configs vulnerable. The barrier to exploitation is basically zero.
Speed. Nation-state actors exploiting within hours of disclosure. That’s not opportunistic scanning - that’s either pre-positioning or extremely fast capability development.
Framework trust. React isn’t some random npm package. It’s Meta-backed, widely audited, and considered mature. Finding a CVSS 10.0 in core React shakes assumptions about supply chain security.
What To Do
Check Your Exposure
If you’re running React 19.x with Server Components:
# Check React version
npm list react
# Check for RSC packages
npm list react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopackPatch Immediately
React (generic):
npm install react@latest react-dom@latest
npm install react-server-dom-webpack@latest # or parcel/turbopackNext.js (by version):
# Next.js 14.x
npm install next@14.2.35
# Next.js 15.0.x
npm install next@15.0.8
# Next.js 15.1.x
npm install next@15.1.12
# Next.js 15.2.x
npm install next@15.2.9
# Next.js 16.x
npm install next@16.0.11Other frameworks:
- React Router, Waku, RedwoodSDK, Parcel RSC plugin, Vite RSC plugin - update to latest versions
If You Can’t Patch Immediately
Temporary mitigations (not substitutes for patching):
- Disable Server Functions if your app doesn’t require them
- Deploy WAF rules - most major WAF providers released signatures within 48 hours
- Block suspicious POST requests to RSC endpoints at the edge
Cloud providers implemented platform-level protections:
- Google Cloud: App Engine, Cloud Functions, Cloud Run
- Firebase: Hosting and App Hosting
- AWS: WAF rules available
Check for Compromise
If you were running vulnerable versions, assume compromise until proven otherwise.
Look for:
- Unexpected processes or network connections
- New files in writable directories
- Outbound connections to unusual IPs
- Cryptominer CPU usage
- Reverse shells or tunneling tools
Check server logs for unusual POST requests to your application.
Related Vulnerabilities
The React team disclosed additional issues alongside and after CVE-2025-55182:
| CVE | Type | CVSS | Status |
|---|---|---|---|
| CVE-2025-55182 | RCE | 10.0 | Patched |
| CVE-2025-55184 | DoS | 7.5 | Patched |
| CVE-2025-67779 | DoS | 7.5 | Patched |
| CVE-2025-55183 | Source Exposure | 5.3 | Patched |
| CVE-2026-23864 | DoS | 7.5 | Patched Jan 2026 |
The same patch cycle addresses these. If you’ve updated for CVE-2025-55182, you’re covered.
The Broader Pattern
React2Shell joins a growing list of framework-level vulnerabilities that break the trust model:
- Log4Shell (2021) - ubiquitous Java library
- Spring4Shell (2022) - enterprise Java framework
- React2Shell (2025) - dominant frontend framework
The common thread: widely-adopted components with subtle serialization/deserialization flaws that sat unnoticed for years.
React Server Components shipped in React 18 (March 2022). The vulnerable code path existed for over three years before discovery. That’s three years of “battle-tested” code that wasn’t actually tested against this attack vector.
Lessons
For developers:
- Update dependencies regularly, not just when vulns are disclosed
- Don’t expose more Server Components functionality than needed
- Have a rapid response plan for framework-level CVEs
For security teams:
- Monitor for dependency CVEs, not just application code
- WAF rules buy time but don’t fix the problem
- Assume exploitation starts immediately after disclosure
For everyone:
- “Widely used” doesn’t mean “secure”
- The supply chain includes your framework, not just your packages
- CVSS 10.0 with active exploitation means drop everything and patch
References
- React Security Advisory
- NVD - CVE-2025-55182
- Unit 42 Analysis
- Wiz Research
- Microsoft Defender Guidance
- CISA KEV Entry
One HTTP request. No authentication. 85,000 servers. The modern web runs on trust in frameworks we don’t audit.
Related Articles
HPE OneView's CVSS 10.0: An Unauthenticated API Endpoint That Runs Commands
CVE-2025-37164 is a maximum-severity RCE in HPE OneView. An unauthenticated REST API endpoint executes arbitrary commands. 40,000+ exploit attempts on day one.
Ivanti Connect Secure Under Mass Exploitation - What We Know So Far
Critical authentication bypass vulnerabilities in Ivanti's VPN appliances are being actively exploited. Here's the timeline, technical details, and what you should do right now.
Ni8mare: n8n's CVSS 10.0 That Hands Over Your Entire Automation Stack
CVE-2026-21858 lets unauthenticated attackers take full control of n8n instances. 100K servers exposed, PoC is public, and your secrets are in the blast radius.