Critical React2Shell Vulnerability (CVE-2025-55182) Under Active Exploitation: Immediate Action Required
A critical security flaw, identified as CVE-2025-55182 and commonly referred to as React2Shell, has been discovered in React Server Components (RSC), a widely used JavaScript library for building user interfaces. This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary code on affected servers without requiring authentication or user interaction. The flaw has been assigned the maximum severity score of 10.0 by the Common Vulnerability Scoring System (CVSS), underscoring its critical nature.
Technical Details:
The React2Shell vulnerability arises from insecure deserialization processes within React Server Components. Specifically, the flaw is rooted in how React decodes payloads sent to React Server Function endpoints. When processing these payloads, React performs deserialization operations that are not adequately secured, allowing attackers to craft malicious HTTP requests that, when deserialized by React, achieve remote code execution on the server. This issue affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0, including packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Third-party components like Vite RSC plugin, Parcel RSC plugin, and React Router RSC preview are also impacted. ([cmu.edu](https://www.cmu.edu/iso/news/2025/react2shell-critical-vulnerability.html?utm_source=openai))
Active Exploitation:
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Notably, multiple Chinese state-sponsored threat groups, including Earth Lamia and Jackpot Panda, have been observed exploiting this vulnerability within hours of its public disclosure. These actors have been conducting sophisticated attacks, including credential theft, malware deployment using tools like Cobalt Strike and Sliver, and large-scale cryptomining operations. ([cybernewscentre.com](https://www.cybernewscentre.com/8th-december-cyber-update-critical-react2shell-vulnerability-under-active-exploitation-by-state-sponsored-actors/?utm_source=openai))
Security experts have reported that exploitation is trivial and successful in most default configurations, making this vulnerability particularly dangerous. The widespread adoption of React and frameworks built on it, such as Next.js, amplifies the potential impact, with estimates suggesting that up to 39% of cloud environments contain vulnerable libraries and over 77,000 internet-facing IP addresses remain exposed globally. ([cybernewscentre.com](https://www.cybernewscentre.com/8th-december-cyber-update-critical-react2shell-vulnerability-under-active-exploitation-by-state-sponsored-actors/?utm_source=openai))
Mitigation Measures:
Given the severity and active exploitation of React2Shell, immediate action is imperative. Organizations are advised to:
1. Update React Server Components: Apply the security fixes included in versions 19.0.1, 19.1.2, and 19.2.1 of the affected packages:
– react-server-dom-webpack
– react-server-dom-parcel
– react-server-dom-turbopack
2. Update Affected Frameworks: Ensure that downstream frameworks and bundlers, such as Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, are updated to their latest patched versions. ([precedenceresearch.com](https://www.precedenceresearch.com/news/cisa-react-rsc-critical-vulnerability?utm_source=openai))
3. Deploy Web Application Firewalls (WAF): As an interim defense, deploy WAF rules to block exploit attempts while working to deploy permanent fixes. ([radware.com](https://www.radware.com/security/threat-advisories-and-attack-reports/react2shell-a-cvss-10-0-rce-vulnerability-in-react-server-components-cve-2025-55182/?utm_source=openai))
4. Monitor for Suspicious Activity: Review server and application logs for evidence of suspicious PowerShell or shell command execution, particularly commands matching known exploitation patterns. Monitor for outbound connections to known malicious IP addresses associated with this vulnerability. ([rescana.com](https://www.rescana.com/post/react2shell-cve-2025-55182-mass-exploitation-of-react-server-components-and-next-js-threatens-77?utm_source=openai))
5. Implement Runtime Detection Rules: Utilize tools like Falco to deploy runtime detection rules that can identify and alert on exploitation attempts. ([cyberkendra.com](https://www.cyberkendra.com/2025/12/react2shell-exploited-cisa-issues.html?utm_source=openai))
CISA Directive:
CISA has mandated that Federal Civilian Executive Branch agencies patch this vulnerability by December 26, 2025. This directive underscores the urgency of addressing this critical flaw to prevent potential compromises. ([cyberkendra.com](https://www.cyberkendra.com/2025/12/react2shell-exploited-cisa-issues.html?utm_source=openai))
Conclusion:
The React2Shell vulnerability represents a significant threat to organizations utilizing React Server Components and related frameworks. The combination of its critical severity, ease of exploitation, and active targeting by sophisticated threat actors necessitates immediate and comprehensive remediation efforts. Organizations must prioritize updating affected systems, deploying interim protections, and monitoring for signs of exploitation to safeguard their infrastructure against this pervasive threat.
