Full Report
Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. KEY TAKEAWAYS Critical vulnerability discovered on December 3, 2025 in React that could allow for unauthenticated remote code execution. Cybereason experts have dubbed this vulnerability as trivial to exploit. Issue allows the server to incorrectly trust user-supplied identifiers and fails to verify. Initial working proof of concept is public and attributed to Chinese threat actors. If server was exposed to public internet prior to patch release date (December 3, 2025), investigate for signs of compromise. Update to latest patched versions of React, and review advisory for additional recommendations.
Analysis Summary
# Vulnerability: React2Shell - Unauthenticated Remote Code Execution in React Server Components
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Unspecified (Related to insecure deserialization/input validation)
## Affected Systems
- Products: React Server Components (RSC)
- Versions: React 19.0.0 through 19.2.0. This affects frameworks bundling RSC, including:
- Next.js versions 15 and 16 (specific patched versions listed in Remediation)
- Configurations: Server-side handling of RSC action metadata when exposed to the public internet.
## Vulnerability Description
A critical vulnerability exists in React's implementation of Server Components (RSC), dubbed "React2Shell," due to unsafe deserialization within the "Flight" protocol. The flaw allows an attacker to supply user-supplied identifiers that the server incorrectly trusts and fails to verify as valid exported server actions. By abusing this logic via manipulated multipart form submissions mimicking RSC calls, an attacker can hijack module resolution to instruct the server to load internal Node.js modules and execute arbitrary system commands (e.g., using `child_process.execSync`) with the privileges of the server process.
## Exploitation
- Status: PoC available (Initial working proof of concept is public, attributed to Chinese threat actors)
- Complexity: Low ("Trivial to exploit," requires only a crafted HTTP request, no user interaction needed)
- Attack Vector: Network (Remote, over the internet)
## Impact
- Confidentiality: High (Execution of arbitrary code can lead to exfiltration of secrets)
- Integrity: High (Arbitrary code execution allows for modification of system components or creation of persistence mechanisms)
- Availability: High (Can lead to system compromise and deployment of secondary payloads)
## Remediation
### Patches
Update to the latest patched versions:
* **React:** 19.0.1, 19.1.2, or 19.2.1 (or frameworks bundling patched RSC components).
* **Next.js:** Latest patched releases for the corresponding branch (e.g., 15.0.5, 15.1.9, or 16.0.7).
* Apply minor updates for other affected packages (e.g., React Router, Expo/React Native web router, RedwoodJS, Waku, Vite RSC plugin, Parcel RSC).
### Workarounds
- Temporary mitigations such as Web Application Firewall (WAF) rules can reduce immediate exposure but **do not** replace software updates.
## Detection
- **Indicators of Compromise (IoCs):**
- Malformed RSC action requests observed in logs.
- Unexpected POST traffic directed towards RSC endpoints.
- Evidence of process execution anomalies on the server (e.g., unexpected execution of system binaries like `child_process.execSync`).
- **Detection methods and tools:** Monitor server logs for suspicious HTTP requests targeting RSC APIs. If the server was exposed prior to December 3, 2025, conduct forensic investigation for signs of compromise.
## References
- Vendor Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Cybereason Investigation Updates: Check the Cybereason blog
- PoC Example: https://www.bitdefender.com/en-us/blog/businessinsights/advisory-react2shell-critical-unauthenticated-rce-in-react-cve-2025-55182