Cybersecurity Blog

React2Shell (CVE-2025-55182): What happened, who’s affected, and how to respond fast

endpointX cybersecurity

TL;DR

  • CVE-2025-55182 is a CVSS 10 unauthenticated RCE in React Server Components (RSC/Flight). Default Next.js apps using affected RSC implementations are a key vector.[1]
  • A public PoC was available on Dec 4, 2025, and vendors report in‑the‑wild exploitation.[1][2]
  • Patch React to 19.2.1+ as well as any frameworks using RSCs, and enable WAF mitigations from providers like Cloudflare and Vercel while you roll out updates.[3][4]

What React, Node.js, and RSC are

  • React: A JavaScript library for building UIs from reusable components. Primarily runs in the browser, can also render on the server.
  • Node.js: A JavaScript runtime (V8) that runs outside the browser. Used for building servers, CLIs, build tools, and serving React apps.
  • React Server Components (RSC): Let some components run on the server and stream their output to the client, never shipping server‑only code to the browser. Frameworks like Next.js integrate RSC so server and client components can co‑exist.

What happened

On Dec 3, 2025, the React team disclosed CVE-2025-55182, an unsafe deserialization flaw in RSC/React Flight. Crafted Flight payloads can be interpreted as internal references/objects, triggering server‑side behaviors and enabling remote code execution on affected servers.[1]

By Dec 4, a working public PoC appeared and cloud vendors started reporting active exploitation attempts.[1][2]

Who is affected

  • Affected React versions: 19.0, 19.1.0, 19.1.1, 19.2.0. Patched in 19.2.1.[5]
  • Affected packages include: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack.[6]
  • Frameworks using RSC (e.g., Next.js, Redwood, Waku) are impacted and shipped fixes plus WAF mitigations on some hosted platforms.[4]

Scope note: This only affects servers using RSC. Not all React/Next.js apps use RSC, so impact is narrower than the entire ecosystem – hence in any suggested checks or searches we are looking for react server packages.

Indicators and detection

  • Software composition: Search repos for React 19.0–19.2.0 with RSC packages like react-server-dom-webpack; upgrade to 19.2.1+.[5][6]
  • Framework inventory: Enumerate Next.js apps using RSC/server functions and verify their React and Next.js versions.[4]
  • Edge/runtime: Monitor for suspicious React Flight payloads, enable or tune WAF rules targeting RSC payload shapes.[4][3]

Tanium examples:

  • With SBOM:
Get SBOM Packages Filtered By[*react-server-dom-parcel*,"","",nodejs] from all entities
Get SBOM Packages Filtered By[*react-server-dom-turbopack*,"","",nodejs] from all entities
Get SBOM Packages Filtered By[*react-server-dom-webpack*,"","",nodejs] from all entities
Get SBOM Packages Filtered By[next,"","",nodejs] from all entities

Compare these results with the affected version numbers above - just seeing a result to one of these SBOM searches does not mean a device is vulnerable
  • Without SBOM (presence-only, requires index – will not show version numbers but gives a start to find servers running the components):
Get Computer Name and Index - File Details[10,".*(react-server-dom-parcel|react-server-dom-turbopack|react-server-dom-webpack|node_modules[/\\\\]next)([/\\\\]|$).*,*,*,*,*,*,*,*,1,0,"",""
] from all entities with ( Windows OS Type contains server or ( Is Linux equals true or ( Is Solaris equals true or Is AIX equals true ) ) )

How to respond (prioritized)

  1. Patch and redeploy
  • Upgrade React to 19.2.1+ across all services using RSC.[5]
  • Apply your framework’s patched releases and redeploy (e.g., Next.js advisories).[4]
  1. WAF protections
  • Managed platforms
    • Cloudflare: Active WAF mitigation rules for this CVE.[3]
    • Vercel: WAF rules deployed for hosted projects; still patch anyway.[4]
  • Self‑managed WAFs
    • Add signatures for suspicious RSC/Flight payload structures.
    • Enforce strict content‑types, payload size limits, and rate‑limit RSC endpoints.
    • Log and alert on anomalies around RSC routes.
  1. Monitor and hunt
  • Assume probing is ongoing given public PoCs and exploitation reports.[1][2]
  • Review server logs around RSC endpoints and Next.js Flight routes.
  • Increase anomaly detection for server-side execution, reverse shells, or unexpected outbound connections.

FAQ

  • Is every React app vulnerable?
    • No. Apps not using RSC or frameworks/bundlers that expose RSC endpoints are not affected.
  • If my host advertises WAF coverage, can I skip patching?
    • No. WAF rules reduce risk but aren’t a substitute for vendor patches; patch React and your framework.[4]

References

  • VulnCheck: CVE-2025-55182 background and public PoC (Dec 4) with exploit details.[1]
  • AWS: Advisory referencing active exploitation.[2]
  • Vercel: Summary and WAF mitigations for hosted apps.[4]
  • Google Cloud: Version guidance and config notes.[5]
  • Cloudflare: Active WAF mitigations for CVE-2025-55182.[3]
  • Vulert: Affected RSC packages and versions overview.[6]