Workforce Identity
Endpoint Management
Endpoint Detection & Response
Vulnerability Management
Compliance Automation
Trust Center
CVE-2025-55182, also known as React2Shell, is a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC). The flaw exists in how the React Flight serialization/deserialization protocol handles input sent to Server Function endpoints, enabling attackers to run arbitrary code on server-side applications and frameworks that rely on these components. The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack React packages.
Impact
Exploitation of this vulnerability allows unauthenticated attackers to execute arbitrary code on affected servers by sending crafted HTTP requests to Server Function endpoints. This can lead to full compromise of the server process, unauthorized access to environment variables and sensitive application data, and deployment of follow-on malicious payloads. Due to widespread usage of React and related frameworks, including Next.js and other bundlers, the real-world impact is significant and affects many cloud-hosted environments. CVE-2025-55182 has been added to CISA’s Known Exploited Vulnerabilities Catalog, underscoring the urgency of patching.
Next Steps
React maintainers and affected framework vendors have released patches that resolve the unsafe deserialization issue in Server Function handling. Users should upgrade vulnerable React packages(react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack)to the patched versions provided by the React team. Frameworks and build systems (for example Next.js) that depend on these packages must also be updated to their corresponding patched versions that include the fixed RSC runtime. Affected RSC packages should be updated to one of the following fixed versions: 19.0.1, 19.1.2, or 19.2.1. Next.js and other frameworks and bundlers that depend on these packages also have corresponding patches; known patched Next.js releases include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. After updating dependencies to these fixed versions, rebuild and redeploy all affected applications and services to ensure the vulnerability is fully remediated