The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a high-severity vulnerability affecting Meta’s React Server Components to its Known Exploited Vulnerabilities (KEV) catalog.
Assigned the identifier CVE-2025-55182, the security flaw dubbed “React2Shell” by the security community is currently being exploited in the wild, prompting urgent calls for remediation.
React2Shell is a Remote Code Execution (RCE) vulnerability found in React Server Components.
The issue stems from a flaw in the framework’s decoding of data payloads sent to React Server Function endpoints.
Essentially, the system fails to properly check the data it receives, allowing attackers to slip in malicious commands.
Because this vulnerability allows “unauthenticated” remote code execution, an attacker does not need a password or an existing account to trigger the exploit.
By sending a specially crafted request to a vulnerable server, a hacker can take complete control of the system, execute arbitrary code, or steal sensitive data.
This makes React2Shell a perilous threat for organizations running modern web applications built on this framework.
CISA’s decision to add CVE-2025-55182 to the KEV catalog confirms that threat actors are actively using this bug to attack targets.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to secure their networks against this specific threat by December 26, 2025.
While the mandate technically applies only to federal agencies, CISA strongly urges all organisations, including private companies and state governments, to prioritise this fix.
The window between the discovery of a vulnerability and widespread attacks is shrinking, and active exploitation indicates that automated attack tools may already be scanning for vulnerable servers.
Administrators should immediately check if their environments are using vulnerable versions of React Server Components.
The primary advice is to apply the mitigations per vendor instructions immediately. If a patch or mitigation is unavailable, CISA recommends discontinuing use of the affected product until it can be secured.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.