Full Report
A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.
Analysis Summary
# Vulnerability: React2Shell - Critical RCE in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: *(Severity not explicitly provided, but described as "Critical")*
- CWE: Unsafe deserialization (Implied by "unsafe payload deserialization")
## Affected Systems
- Products: React Server Components (Meta packages including Next.js, React Router, Waku, Redwood SDK, RSC plugins for Parcel and Vite)
- Versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
- Configurations: Affects systems utilizing React Server Function endpoints where unsafe payload deserialization can occur.
## Vulnerability Description
The vulnerability stems from unsafe payload deserialization at React Server Function endpoints within React Server Components. Successful exploitation involves crafting malicious HTTP requests (mimicking Server Action calls) that trigger automatic deserialization of the payload, leading to arbitrary code execution and potential complete backend compromise.
## Exploitation
- Status: Exploited in the wild (Reported actively exploited by multiple Chinese threat actors including Earth Lamia and Jackpot Panda).
- Complexity: Low (PoC payloads are publicly available, and exploitation attempts show a near 100% success rate in some analyses).
- Attack Vector: Network (via crafted HTTP requests).
## Impact
- Confidentiality: High (Arbitrary code execution typically implies potential data exfiltration).
- Integrity: High (Arbitrary code execution allows for system modification).
- Availability: High (Potential for system compromise and denial of service).
## Remediation
### Patches
- Version 19.0: Patch available in Version **19.0.1**
- Versions 19.1.0 and 19.1.1: Patch available in Version **19.1.2**
- Version 19.2.0: Patch available in Version **19.2.1**
### Workarounds
- Blocklisting specific malicious IP addresses identified in exploitation attempts (e.g., 143[.]198[.]92[.]82, 206[.]237[.]3[.]150, 45[.]77[.]33[.]136, 183[.]6[.]80[.]214).
## Detection
- Indicators of Compromise: Presence of crafted HTTP POST requests using a JSON payload embedded as "multipart/form-data" targeting RSC endpoints.
- Detection methods and tools: Running `npm run audit` locally should flag the vulnerability if the local version is vulnerable. Assetnote's `react2shell-scanner` can be used to scan publicly accessible assets.
## References
- Vendor Advisories: Next.js Advisory: https[:]//github[.]com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- Relevant links - defanged:
- AWS Report: https[:]//aws[.]amazon[.]com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- Datadog Analysis: https[:]//securitylabs[.]datadoghq[.]com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/
- Wiz Analysis: https[:]//www[.]wiz[.]io/blog/critical-vulnerability-in-react-cve-2025-55182
- React Disclosure: https[:]//react[.]dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Scanner Tool: https[:]//github[.]com/assetnote/react2shell-scanner