CVE ID: CVE-2025-55182

Severity: CRITICAL | CVSS Score: 10.0

Attack Vector: Network | Authentication Required: None

Sources: 5 different security sources reporting active exploitation

Let Me Explain What Happened

Sit down for a moment, because this is one of those situations where we need to talk seriously. On December 3, 2025, the React team disclosed a vulnerability that's about as bad as they come—a perfect 10.0 on the severity scale. If you're running React Server Components in versions 19.0.0 through 19.2.0, attackers can execute code on your servers without even needing to log in first. Think of it like someone finding a way to walk right into your house, not through a picked lock, but because the door was accidentally designed to open for anyone who knocked in a particular way.

What makes this particularly concerning is that exploitation began almost immediately after disclosure, and by mid-December, CISA added it to their Known Exploited Vulnerabilities catalog. When CISA does that, it means federal agencies have a hard deadline to patch—and you should treat it with the same urgency.

A Bit More Detail

The vulnerability, nicknamed "React2Shell" by the security community, affects the Flight protocol used by React Server Components. The problem lies in how these components handle something called "deserialization"—essentially, how they convert data from HTTP requests back into objects the server can work with. The code doesn't properly validate what it's deserializing, which means an attacker can craft a malicious payload that, when processed, executes arbitrary code on your server.

This affects three specific packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. If you're using Next.js, you should know that it also has a related vulnerability tracked separately as CVE-2025-66478, so you'll want to address both.

The Technical Specifics

• Attack Vector: Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• Attack Complexity: Low—no special conditions needed
• Privileges Required: None—pre-authentication exploitation
• User Interaction: None required
• Scope: Changed—can affect resources beyond the vulnerable component
• Impact: Complete compromise of confidentiality, integrity, and availability
• CWE Classification: CWE-502 (Deserialization of Untrusted Data)
• Affected Versions: React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• Vulnerable Endpoints: Server Function endpoints that process HTTP requests

The Timeline of Events

Let me walk you through how this unfolded, because the speed matters here:

• December 3, 2025: React team publicly disclosed CVE-2025-55182 and released patches
• December 8, 2025: Dark Reading reported that exploitation activity was ramping up significantly
• December 12, 2025: Multiple developments occurred:
  • CISA added the vulnerability to their Known Exploited Vulnerabilities catalog
  • CISA set a December 12 deadline for federal agencies to patch
  • The Hacker News reported large-scale global attacks were underway
  • Palo Alto's Unit 42 published detailed exploitation analysis
  • Researchers discovered additional related vulnerabilities enabling DoS and source code exposure
  • Dark Reading found proof-of-concept exploits containing WAF bypass techniques
• December 15, 2025: SANS ISC reported that exploit payloads remained highly active
• December 17, 2025: Cisco Talos issued their security advisory

According to AWS Security, China-nexus cyber threat groups were among those rapidly exploiting this vulnerability, demonstrating that sophisticated actors moved quickly to weaponize it.

What's Actually Happening in the Wild

Here's what we're seeing from the security community's observations. SANS ISC noted that by mid-December, any servers vulnerable to "plain" exploit attempts had likely already been compromised multiple times. That's a sobering thought—it means attackers were moving fast and hitting the same targets repeatedly.

Dark Reading's research uncovered something particularly concerning: some proof-of-concept exploits circulating online include bypasses for web application firewall (WAF) rules. This means that even if you thought your WAF was protecting you, attackers may have found ways around those protections.

The Hacker News also reported that while the security community was analyzing the initial patches, they discovered two additional vulnerability types in React Server Components that could lead to denial-of-service attacks or source code exposure. The React team has since released fixes for these as well.

What You Should Do About This

Let me give you a clear action plan, broken down by urgency:

• Immediate Actions (Do This Today):
  • Identify exposure: Determine if you're running React Server Components versions 19.0.0, 19.1.0, 19.1.1, or 19.2.0. Check all three affected packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
  • Assume compromise: If you're running vulnerable versions and they're internet-facing, treat them as potentially compromised. Begin incident response procedures.
  • Implement temporary mitigations: If you cannot patch immediately, consider blocking external access to Server Function endpoints at your firewall or WAF level while you prepare to patch.
  • Review logs: Look for unusual HTTP requests to Server Function endpoints, particularly those with suspicious payloads or unexpected deserialization patterns.
• Short-Term Actions (This Week):
  • Apply patches: Upgrade to the patched versions released by the React team on December 3, 2025. The official React security advisory at react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components contains specific version information.
  • Test thoroughly: Before deploying patches to production, test them in a staging environment. While this is critical, don't let testing delay you more than absolutely necessary given the active exploitation.
  • Check Next.js separately: If you're using Next.js, address CVE-2025-66478 as well, which is a related vulnerability in that framework.
  • Update WAF rules: Given that bypass techniques are circulating, review and update your WAF rules. However, don't rely on WAF protection alone—patching is essential.
• Long-Term Actions:
  • Implement monitoring: Set up alerts for unusual activity on Server Function endpoints, including unexpected deserialization attempts or anomalous payload patterns.
  • Review architecture: Consider whether all your Server Function endpoints need to be internet-facing, or if some could be placed behind additional authentication layers.
  • Establish patch management: This vulnerability demonstrates how quickly exploitation can begin after disclosure. Ensure you have processes to rapidly deploy critical security updates.
  • Security testing: Include deserialization vulnerability testing in your regular security assessments, as CWE-502 issues remain a common attack vector.

Detection and Hunting Guidance

If you're a security analyst or incident responder, here's what to look for:

• Network indicators: HTTP POST requests to Server Function endpoints with unusual or obfuscated payloads
• Log analysis: Look for deserialization errors, unexpected code execution patterns, or server processes spawning unusual child processes
• Behavioral indicators: Outbound connections from React server processes to unexpected external IPs, particularly if they occur shortly after receiving HTTP requests
• File system changes: New files created in web directories, modified server components, or unexpected binaries appearing on systems running React Server Components

SANS ISC has been tracking exploit payloads, so monitoring their daily diary entries can help you understand what current attack patterns look like.

Understanding the Broader Context

This vulnerability falls into the MITRE ATT&CK framework under several techniques, primarily T1190 (Exploit Public-Facing Application) for initial access, and T1059 (Command and Scripting Interpreter) for execution. The deserialization flaw (CWE-502) is a well-understood vulnerability class that continues to appear in modern applications, despite being a known risk for years.

What makes this particular instance so severe is the combination of factors: no authentication required, low attack complexity, network accessibility, and complete system compromise potential. The CVSS score of 10.0 is rare and reserved for vulnerabilities that represent the worst-case scenario—and this qualifies.

A Word of Encouragement

I know this seems overwhelming, especially if you're discovering you have vulnerable systems. Take a breath. The security community has rallied around this issue quickly, providing clear guidance and patches. You have the information you need to address this, and you're not alone—organizations worldwide are working through the same process.

Focus on the immediate steps first: identify your exposure, patch what you can, and monitor what you can't patch immediately. Then work through the longer-term improvements. You've got this.

Where I Found This Information

• National Vulnerability Database - CVE-2025-55182 (Authoritative source for CVSS scoring and technical details)
• React Official Security Advisory (Primary disclosure and patch information)
• Cisco Talos Security Advisory (Credibility: 9/10 - Published December 17, 2025)
• Palo Alto Unit 42 Analysis (Credibility: 9/10 - Updated December 12, 2025)
• SANS Internet Storm Center (Credibility: 8/10 - Ongoing exploit tracking through December 15, 2025)
• Dark Reading - React2Shell Exploits Analysis (Credibility: 7/10 - December 12, 2025)
• Dark Reading - Exploitation Activity Report (Credibility: 7/10 - December 8, 2025)
• The Hacker News - Large-Scale Attacks Report (Credibility: 7/10 - December 12, 2025)
• The Hacker News - Additional RSC Vulnerabilities (Credibility: 7/10 - December 12, 2025)
• CISA Known Exploited Vulnerabilities Catalog (Added December 12, 2025)
• AWS Security Blog - Threat Actor Analysis

Note: This security intelligence synthesis is based on multiple authoritative sources and represents the situation as of December 17, 2025. The threat landscape evolves rapidly—always verify current patch availability and test updates in your specific environment before widespread deployment. When in doubt, consult the official React security advisory for the most up-to-date guidance.