A critical unauthenticated remote code execution vulnerability dubbed “React2Shell” is actively being exploited in the wild, putting millions of web services at risk.
On December 3, React disclosed CVE-2025-55182, a critical flaw in React Server Components with a CVSS score of 10.
The vulnerability stems from insecure deserialization within the “Flight” protocol used by React Server Components.
Attackers can execute arbitrary code on vulnerable servers by sending specially crafted HTTP requests to Server Function endpoints without requiring authentication. This allows threat actors to gain complete control of affected systems.
Amazon Web Services researchers reported that China-nexus threat actors, including Earth Lamia and Jackpot Panda, began exploiting this vulnerability within 24 hours of its public disclosure.
The attackers are targeting vulnerable cloud-hosted applications using React Server Components. Often, they deploy web shells and backdoors shortly after gaining initial access.
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-55182 |
| CVSS Score | 10.0 (Critical) |
| Vulnerability Type | Unauthenticated Remote Code Execution |
| Affected Versions | React 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
As of December 5, CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities Catalog, underscoring the severity and active exploitation of this flaw.
GreyNoise has also documented opportunistic exploitation attempts against their honeypots, indicating widespread scanning and exploitation activity across the internet.
According to Censys, approximately 2.15 million internet-facing web services may be affected by this vulnerability.
These include exposed services running React Server Components and affected frameworks such as Next.js, Waku, React Router, and RedwoodSDK.
While this count reflects software exposure rather than confirmed vulnerable versions, the scale of potential impact is significant given the popularity of these frameworks.
The vulnerability affects React Server Components packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in versions 19.0.0 through 19.2.0.
Multiple popular frameworks depend on these packages, including Next.js versions 14.3.0-canary.77 and above when using App Router, React Router RSC preview, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodSDK.
Pure client-side React applications that do not run server-side components are not affected.
However, applications implementing React Server Components remain vulnerable even if they do not explicitly use Server Function endpoints.
Fixed versions are now available. Organizations should immediately update to React 19.0.1, 19.1.2, or 19.2.1.
Next.js users should upgrade to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 depending on their current version.
While WAF providers, including Cloudflare and AWS, have deployed protective rule sets, some proof-of-concept exploits demonstrate bypass techniques. Patching remains the most reliable mitigation strategy.
Given the active exploitation, maximum severity score, and widespread framework adoption, organizations running React Server Components should treat this as an emergency patch priority.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
