Full Report
The bug, tagged as CVE-2025-55182 and referred to colloquially as React2Shell, was reported to Meta by researcher Lachlan Davidson on November 29 and publicly disclosed on Wednesday, when a fix was rolled out.
Analysis Summary
# Vulnerability: React2Shell (CVE-2025-55182) in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly mentioned in context.
## Affected Systems
- Products: React Server Components (a popular open-source tool maintained by Meta, now with the React Foundation). Used in an estimated 6% of all websites and products built by countless major firms.
- Versions: All versions prior to the patch deployment (disclosed on Wednesday following the report on November 29th).
- Configurations: Any system utilizing React Server Components for rendering web content and internal logic.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," resides within the React Server Components implementation. These components handle significant "heavy lifting" on the server side, including rendering main page content and securely interacting with private data (like billing information) before content reaches the user's client. Though the precise technical flaw (e.g., RCE, deserialization issue) is not detailed, the impact suggests a flaw allowing server-side execution or access bypass, given its widespread exploitation for accessing sensitive server functions.
## Exploitation
- Status: Exploited in the wild (Confirmed active exploitation by China state-nexus threat groups, including Earth Lamia and Jackpot Panda).
- Complexity: Not explicitly stated, but exploitation attempts observed involve debugging and refining techniques, suggesting active weaponization of public PoCs.
- Attack Vector: Likely Network, given the nature of exploiting a web component used on public websites.
## Impact
- Confidentiality: High (Involvement in processing private billing info suggests potential leakage of sensitive server data).
- Integrity: High (Implied high impact due to critical score of 10.0 and use by nation-state actors).
- Availability: Unknown, but potential for denial of service secondary to successful compromise.
## Remediation
### Patches
- Patches were rolled out publicly on "Wednesday" (following the November 29th report). Users must update to the fixed version of the React Server Components library.
### Workarounds
- No specific vendor workarounds were detailed in the provided text. Immediate patching is critical due to active exploitation.
## Detection
- Indicators of Compromise: Detection efforts should focus on unusual network activity targeting web servers running React-based applications, especially traffic patterns suggesting automated scanning or PoC attempts identified by Amazon researchers.
- Detection methods and tools: Monitor web server logs and network traffic for suspicious requests indicative of attempts documented by threat intelligence groups tracking Earth Lamia and Jackpot Panda activity. CISA has added this to its catalog of exploited vulnerabilities (KEV).
## References
- Vendor Advisory: [https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- CISA Alert: [https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog](https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog)
- Amazon Security Observation: [https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/](https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/)