🔴 CVE-2025-55182

Critical pre-authentication remote code execution vulnerability in React Server Components allowing arbitrary code execution through unsafe deserialization of HTTP requests. Multiple threat actors are actively exploiting this vulnerability against internet-facing React applications.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+71d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-12-03

Added to CISA KEV: 2025-12-05 2 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-12-05)

CVE-2025-55182, also known as React2Shell, is a critical remote code execution (RCE) vulnerability affecting React Server Components (RSC) in React versions 19.0, 19.1, and 19.2, as well as Next.js applications using App Router with Server Actions [1][4].

Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects internet-facing applications and services built on recent versions of React with default settings, such as applications on Next.js built using `create-next-app` [3][15]. Web applications that heavily rely on React Server Components and Server Functions are particularly at risk [8].
  • Active Exploitation: Multiple China-linked threat actors have been actively exploiting this vulnerability in the wild, just hours after its disclosure [11][12]. Amazon threat intelligence teams are also actively investigating exploitation attempts to protect AWS infrastructure [7].
  • Attack Vectors and Exploitation Methods: CVE-2025-55182 is an unsafe deserialization vulnerability in RSC [16][19]. An unauthenticated, remote attacker can exploit it by sending a specially crafted request to an RSC "Server Function" endpoint, potentially executing arbitrary code on the server [5][14]. The vulnerability exists in the Flight protocol deserialization process, allowing attackers to achieve arbitrary code execution through prototype pollution [1]. Exploitation involves sending a simple HTTP request to the server, which can initiate a process on the server with React privileges even before authentication [6].
  • Targeted Attacks: On December 5, 2025, a production Next.js application was targeted by attackers exploiting CVE-2025-55182, attempting to download and execute a Linux backdoor trojan on the server [2].
  • CISA Known Exploited Vulnerabilities (KEV) Status: While the provided search results mention CISA adding other vulnerabilities to its KEV catalog [17][18], it's not explicitly stated whether CVE-2025-55182 has been added. However, given the active exploitation, it is likely to be added to the KEV catalog.
  • Technical Details on Internet Exploitability: CVE-2025-55182 is classified as critical with a CVSS score of 10.0 [10]. It is a pre-authentication remote code execution vulnerability [20][21]. A remote, unauthenticated attacker can execute arbitrary code on an affected server [14][16]. The attack vector is remote, the attack complexity is low, no privileges are required, and no user interaction is required [9]. The vulnerability allows arbitrary argument injection into server-side functions [13].

Sources

  1. GitHub - Spritualkb/CVE-2025-55182-exp: CVE-2025-55182 React...

    CVE-2025-55182 is a critical Remote Code Execution (RCE) vulnerability in React Server Components (RSC) affecting Next.js applications using App Router with Server Actions. The vulnerability exists in the Flight protocol deserialization process, allowing attackers to achieve arbitrary code execution…

  2. CVE-2025-55182 Attack Analysis: React Server Components RCE - GitHub

    Executive Summary On December 5, 2025, our production Next.js application was targeted by attackers exploiting CVE-2025-55182 (React2Shell), a critical Remote Code Execution vulnerability in React Server Components. The attack attempted to download and execute a Linux backdoor trojan on our server.

  3. CVE-2025-55182: RCE in React Server Components

    AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote…

  4. Dangerous RCE Flaw in React, Next.js Threatens Cloud Environments ...

    Google wrote that it rolled out a new rule for its Cloud Armor web application firewall created to detect and block CVE-2025-55182-related exploitation attempts. Available now, it aims to protect internet-facing applications and services that use global or regional application load balancers.

  5. Protect against React RSC CVE-2025-55182 with Azure Web Application ...

    On December 3, 2025, the React team disclosed a critical remote code execution (RCE) vulnerability in React Server Components (RSC), tracked as CVE-2025-55182. The vulnerability allows an unauthenticated attacker to send a specially crafted request to an RSC “Server Function” endpoint and potentiall…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed