Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
Analysis Summary
# Vulnerability: Remote Code Execution in React Server Components (React2Shell)
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: OSF-UNKNOWN (Implied Insecure Deserialization)
## Affected Systems
- Products: React Server Components (RSC), react-server package
- Versions: Specific fixed versions are 19.0.1, 19.1.2, and 19.2.1 for the following libraries:
- `react-server-dom-webpack`
- `react-server-dom-parcel`
- `react-server-dom-turbopack`
- Configurations: Systems using React Server Components that rely on the Flight protocol for server-client communication.
- Downstream Dependencies Impacted: Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK instances utilizing the vulnerable React versions.
## Vulnerability Description
The vulnerability is a critical Remote Code Execution (RCE) flaw stemming from insecure deserialization within the proprietary Flight protocol used by React Server Components (RSC) for communication between the server and client. An unauthenticated and remote attacker can trigger this flaw by sending specially crafted HTTP requests to React Server Function endpoints, leading to the execution of arbitrary commands on the server.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Low (Can be triggered by an unauthenticated attacker without special setup)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary command execution allows full system compromise)
- Integrity: High (Arbitrary command execution allows full system compromise)
- Availability: High (Arbitrary command execution can lead to system unavailibility)
## Remediation
### Patches
Patches are available in the following fixed versions:
- `react-server-dom-webpack`: Version 19.0.1, 19.1.2, and 19.2.1 (and later)
- `react-server-dom-parcel`: Version 19.0.1, 19.1.2, and 19.2.1 (and later)
- `react-server-dom-turbopack`: Version 19.0.1, 19.1.2, and 19.2.1 (and later)
*Note: Affected downstream frameworks (Next.js, Waku, etc.) must update their React dependencies to these fixed versions.*
### Workarounds
No specific immediate workarounds were detailed in the provided context, other than applying patches. Mitigation should prioritize upgrading immediately due to active exploitation.
## Detection
- Indicators of Compromise (IoCs): Reports indicate attackers deployed cryptocurrency miners and executed "cheap math" PowerShell commands to confirm exploitation success, followed by dropping in-memory downloaders for secondary payloads (e.g., SNOWLIGHT).
- Detection Methods and Tools: Monitor network traffic for suspicious requests targeting RSC/Server Function endpoints. Security monitoring tools should focus on identifying the execution of unusual processes (like mining software or PowerShell commands) on application servers utilizing React, particularly following the public disclosure of the flaw.
## References
- CISA Advisory: https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
- Vendor/Research Advisory (Example): https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html
- Research/In-Depth Analysis (Example): https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/