Deep dive into React2Shell (CVE-2025-55182), a critical RCE vulnerability targeting React SSR. Learn the attack vectors and immediate mitigation steps.

React2Shell (CVE-2025-55182): Critical RCE Analysis & Fixes | Securelic

Published: 2025-12-05

CVE-2025-55182 - React2Shell Vulnerability

React2Shell Vulnerability

What Is React2Shell (CVE-2025-55182) and How to Protect Your Web Apps

In early December 2025, a critical security vulnerability known as React2Shell (CVE-2025-55182) was publicly disclosed, shocking the web development and security communities. This flaw impacts React Server Components and related frameworks such as Next.js, making them vulnerable to unauthenticated remote code execution (RCE) one of the most dangerous types of security bugs an application can have.

What Is React2Shell?

React2Shell is a maximum severity (CVSS 10.0) vulnerability that exists because some React Server Components improperly deserialize incoming data. Attackers can send a specially crafted HTTP request that bypasses validation and causes the server to execute arbitrary code. Simply put: a remote attacker doesn’t need credentials or user interaction to take control of affected servers.

This vulnerability affects:

  1. React Server Components versions 19.0.0 through 19.2.0
  2. Frameworks and tools that bundle these components, including Next.js (15.x / 16.x)
  3. Any ecosystem (e.g., Vite, Parcel, RedwoodSDK) that adopts vulnerable react-server-dom-* packages.

Why Do Attackers Target React2Shell?

React and Next.js are some of the most widely used open source libraries for modern web applications. Threat actors including nation state groups and cyber criminals have rapidly weaponized this flaw. Within hours of public disclosure, automated scanning, exploitation attempts and malware deployment campaigns were observed in the wild.

Common threat actor motivations include:

  • Botnets & Cryptomining - Deploying coin miners (e.g., XMRig) after compromise
  • Web Shells & Backdoors - Establishing persistent remote access
  • Credential Theft & Lateral Movement - Harvesting keys and moving laterally
  • Ransomware Deployment - Immediate encryption of sensitive data and systems post exploit

Active exploitation has been attributed to advanced groups, including China linked threat clusters that rapidly adapted tooling to automate attacks at scale.

How to Detect & Mitigate React2Shell

 Immediate Remediation

  • Patch React Server Components & Next.js

Update to fixed versions as recommended by official React and Next.js advisories

  • Web Application Firewalls (WAF)

Apply temporary WAF rules to block exploit request patterns while patching.

  • Audit All RSC-Enabled Service

Thoroughly inventory systems using React Server Components or bundlers that include them.

Vulnerability Scanning & Securelic

Proactive scanning is critical in detecting vulnerable instances before they are weaponized. With Securelic’s open source powered vulnerability scanner, you can:

  • Scan for outdated or vulnerable React Server Components and ecosystem dependencies
  • Inspect HTTP endpoints for unsafe deserialization risk patterns
  • Integrate automated checks into CI/CD pipelines to catch vulnerable builds
  • Generate prioritized reports for immediate remediation actions

Securelic leverages industry proven scanners such as OWASP ZAP and nuclei template engines to detect real world exploit conditions  giving you visibility into live risk exposure and reducing attack surface early.

Building Resilience Against Exploitation

  • Monitor Logs & Network Traffic for unusual command execution or shell activity
  • Enable Runtime Protection and anomaly detection
  • Educate Dev Teams on secure deserialization and patch management
  • Maintain an SBOM (Software Bill of Materials) to track vulnerable dependencies

Summary

CVE-2025-55182, widely known as React2Shell, is a critical remote code execution vulnerability in React Server Components and related frameworks like Next.js. It has been rapidly exploited by threat actors for cryptomining, web shells, credential theft and ransomware campaigns. Immediate patching, robust scanning and runtime defenses are essential to protect modern web applications. Proactive tools like Securelic help detect exposure early and guide swift remediation ensuring your web assets stay secure in a world of evolving threats.

References

  • Wiz: React2Shell critical vulnerability deep dive  wiz.io
  • Google Cloud threat intel on CVE-2025-55182 exploitation Google Cloud
  • React2Shell GitHub (exploit framework) GitHub
  • Microsoft: defending against React2Shell vulnerability Microsoft
  • Sysdig: detecting and analyzing React2Shell exploitation sysdig.com
  • Greenbone: React2Shell active exploitation overview Greenbone
  • JFrog: CVE-2025-55182 detection & mitigation guide JFrog