Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
Analysis Summary
# Vulnerability: React2Shell Unsafe Deserialization in RSC Protocol
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: Unsafe Deserialization (Implicit)
## Affected Systems
- Products: React Server Components (RSC) Flight protocol implementations, including Next.js, Waku, Vite, React Router, and RedwoodSDK.
- Versions: Not explicitly listed, but all versions utilizing the vulnerable RSC Flight protocol implementation.
- Configurations: Internet-facing applications utilizing the affected services.
## Vulnerability Description
The vulnerability stems from an unsafe deserialization flaw within the React Server Components (RSC) Flight protocol. This flaw allows an unauthenticated, remote attacker to inject and execute malicious logic on the server in a privileged context by sending a single, specially crafted HTTP request.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (No authentication, user interaction, or elevated permissions required)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary code execution can lead to data exfiltration)
- Integrity: High (Arbitrary code execution allows modification or destruction of data/system state)
- Availability: High (Attackers have dropped malware like Mirai/Gafgyt and cryptocurrency miners, leading to service disruption)
## Remediation
### Patches
- Developers should apply patches released by the respective maintainers (React, Next.js, etc.) addressing CVE-2025-55182. CISA has mandated patching for federal agencies by **December 12, 2025**.
### Workarounds
- No specific official workarounds were provided in the context, but restrictive network segmentation and Web Application Firewall (WAF) rules blocking uncommon request patterns may offer temporary risk reduction while patching is underway.
## Detection
- Indicators of Compromise (IoCs): Observations include initial probing commands like `whoami`, followed by deployment of cryptocurrency miners (e.g., Mirai/Gafgyt variants) and malware like RondoDox.
- Detection Methods and Tools: Monitor network traffic for unusually structured requests targeting the RSC Flight endpoint. Scrutinize server process execution and external network connections originating from web servers.
## References
- CISA Known Exploited Vulnerabilities Catalog Update (Look for CVE-2025-55182)
- Cloudflare Threat Brief on React2Shell: hXXps://blog.cloudflare.com/react2shell-rsc-vulnerabilities-exploitation-threat-brief/
- Wiz Analysis: hXXps://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive/
- Kaspersky Analysis: hXXps://securelist.com/cve-2025-55182-exploitation/118331/