React Remote Code Execution Vulnerability
RISK: Extremely High Risk
TYPE: Servers - Other Servers
A vulnerability has been identified in React. A remote attacker could exploit this vulnerability to trigger remote code execution on the targeted system.
Note:
CVE-2025-55182, commonly known as React2Shell, is being exploited in the wild. Meta React Server Components contains a remote code execution vulnerability, it allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
[Updated on 2025-12-05]
Updated Description and Risk Level. Proof of Concept exploit code Is publicly available for CVE-2025-55182. Hence, the risk level is rated from Medium Risk to High Risk.
[Updated on 2025-12-08]
Updated Description, Risk Level and Related Links. CVE-2025-55182 is being exploited in the wild. Hence, the risk level is rated from High Risk to Extremely High Risk.
[Updated on 2025-12-12]
Updated Description.
Impact
- Remote Code Execution
System / Technologies affected
For affected versions of React:
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
- Affected frameworks and bundlers: Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
For detail, please refer to the links below:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Solutions
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
Vulnerability Identifier
Source
Related Link
Share with