CVE-2025-55182: Critical Vulnerability, React2Shell, Allows for Unauthenticated RCE

Cybereason is continuing to investigate. Check the Cybereason blog for additional updates.

KEY TAKEAWAYS

Critical vulnerability discovered on December 3, 2025 in React that could allow for unauthenticated remote code execution.
Cybereason experts have dubbed this vulnerability as trivial to exploit.
Issue allows the server to incorrectly trust user-supplied identifiers and fails to verify.
Initial working proof of concept is public and attributed to Chinese threat actors.
If server was exposed to public internet prior to patch release date (December 3, 2025), investigate for signs of compromise.
Update to latest patched versions of React, and review advisory for additional recommendations.

A critical vulnerability dubbed “React2Shell”, being tracked as CVE-2025-55182 with a CVSS score of 10.0, was recently discovered in React’s Server Components (RSC) that could allow for pre-authentication remote code execution. If exploited, this vulnerability could enable unauthenticated threat actors to execute arbitrary code on servers running vulnerable React 19 RSC logic. React is a javascript library used to build the user interface of many of the websites people use every day. Because it is so widely used, it has quietly become part of the digital foundation that modern websites rely on. Threat actors can leverage this vulnerability to exfiltrate secrets, pivot deeper into the environment, create persistence mechanisms (webshells), or deploy secondary payloads. A compromised RSC endpoint becomes the Initial Intrusion Vector (IIV) for threat actors, and could allow for lateral movement and complete environment compromise.

Security researchers emphasize that exploiting this bug is trivial. In testing, it worked with near 100% reliability and requires only a crafted HTTP request, which involves no user interaction. The attack can be performed by remote threat actors over the internet, making it an attractive initial compromise vector. The issue stems from unsafe deserialization within the RSC “Flight” protocol, allowing a threat actor to hijack module resolution and invoke privileged functions on the backend. The flaw affects React 19.0.0 through 19.2.0 and any frameworks that bundle RSC, including Next.js 15 and 16. Exploitation is trivial, reliable, and requires only a crafted HTTP request. Frameworks incorporating these packages inherit the flaw.

The vulnerability arises from React’s server-side handling of RSC action metadata. Pre-patch, the server incorrectly trusts user-supplied identifiers and fails to verify that requested functions are valid exported server actions. By abusing this logic, a threat actor can instruct the server to load internal Node.js modules and execute functions like child_process.execSync. Proof-of-concept exploits already available on GitHub and other research related sites as of December 3, 2025 demonstrate direct execution of OS commands through manipulated multipart form submissions that mimic legitimate RSC calls. Once executed, threat actor-supplied commands run with the privileges of the server process.

A working proof-of-concept exploit for CVE-2025-55182 is now public, after security researcher maple3142 released an HTTP-based payload that achieves unauthenticated remote code execution against React Server Components in at least Next.js 16.0.6, confirming that the issue is practically exploitable and not just theoretical. Research into the exploitation of this vulnerability is attributing early activity to multiple China state-nexus threat actors, including EARTH LAMIA and JACKPOT PANDA, who started probing and exploiting React2Shell within hours of the December 3 public disclosure, despite AWS-managed services themselves not being directly impacted.

If your unpatched server was exposed to the public internet prior to December 3, 2025, investigate for signs of compromise. Although mass exploitation typically follows the release of PoC code, sophisticated threat actors can develop private exploits immediately.

Recommendations

Below are key recommendations from our DFIR team:

Review React’s advisory and monitor for additional updates
Update to React 19.0.1, 19.1.2, or 19.2.1, or to framework versions that bundle patched RSC components. Install latest updates for React Router, Expo/React Native (if using Expo’s web router), RedwoodJS, Waku, Vite RSC plugin, Parcel RSC, etc., as applicable. Many of these just require bumping the React runtime to 19.2.1 or applying a minor update released by the framework maintainers.
Update Next.js to the latest patched release in your branch (e.g. 15.0.5, 15.1.9, or 16.0.7). Next.js users on the canary (beta) channel should downgrade to the stable 14.x or upgrade to a patched stable release.
Temporary mitigations such as WAF rules can reduce exposure, but they do not replace software updates.
Organizations should monitor logs for malformed RSC action requests, unexpected POST traffic to RSC endpoints, or evidence of process execution anomalies.

Our team is standing by to answer any questions relating to this vulnerability. Reach us 24x7 at response@cybereason.com.

About the Author

Devon Ackerman, Global Head of DFIR, Cybereason

devon-ackerman Devon Ackerman is the Global Head of DFIR at Cybereason. Devon leverages over 15 years of experience in the cybersecurity industry, with a focus on Digital Forensics and Incident Response. He has built, managed, and led large global incident response teams, and has worked hundreds of incident response engagements, including some of the most complex in the world.