CVE-2025-55182: Frequently Asked Questions About React2Shell: React Server Components Remote Code Execution Vulnerability
A maximum severity vulnerability (CVSS 10) was discovered in React, one of the most popular JavaScript frameworks. If your app supports React Server Components, you are likely vulnerable out of the box, even if you aren’t using Server Functions explicitly. Patch immediately.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding React2Shell, a critical vulnerability in React Server Components.
FAQ
What is the React Server Component (RSC) vulnerability?
On December 3, 2025, the React Team published a blog post regarding a critical vulnerability affecting React Server Components.
What is the vulnerability that was disclosed to the React Team?
The React Team confirmed the presence of one critical vulnerability:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-55182 | React Server Components Remote Code Execution Vulnerability | 10.0 |
This vulnerability was disclosed to the React Team by Lachlan Davidson on November 29, 2025.
What is CVE-2025-55182?
CVE-2025-55182 is an unsafe deserialization vulnerability in RSC. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted payload to a vulnerable React Server Function endpoint. Successful exploitation could result in remote code execution on the server.
Are we still vulnerable if our app doesn’t use React Server Functions endpoints?
Potentially. According to the React Team, even if React Server Functions are not in-use, the vulnerability is still exploitable if React Server Components are supported.
What is React2Shell?
“React2Shell” is the name given to CVE-2025-55182 by a security researcher, a nod to the Log4Shell vulnerability.
Logo created by Tenable Research Special Operations, inspired by the iconic Log4Shell logo.
Is there a proof-of-concept (PoC) available for this vulnerability?
At the time this blog post was published on December 3, there were no confirmed public PoC exploits for CVE-2025-55182 that work against default configurations.
What React Server Components are vulnerable?
The following components have been confirmed to be vulnerable:
| Affected Component | Affected Versions |
|---|---|
| react-server-dom-parcel | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-webpack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
However, other frameworks that bundle React are impacted as well including Next.js, React Router, Expo, Redwood SDK, Waku and more.
Did Next.js publish their own advisory and CVE?
Yes, the Next.js team published a security advisory and their own CVE, CVE-2025-66478. However, the National Vulnerability Database (NVD) rejected this CVE as a duplicate of CVE-2025-55182.
What Next.js versions are affected?
Affected versions of Next.js that use the App Router are vulnerable, including:
| Affected Next.js versions |
|---|
| 15.0.4 and below |
| 15.1.8 and below |
| 15.2.5 and below |
| 15.3.5 and below |
| 15.4.7 and below |
| 15.5.6 and below |
| 16.0.6 and below |
| 14.3.0-canary.77 and later releases |
How severe is this vulnerability?
It has the potential to be very severe. In 2024, according to the State of JavaScript, an annual developer survey of the JavaScript ecosystem, React was used by 82% of respondents.
What adds to the elevated severity is the fact that exploitation can occur in apps that support React Server Components, even if the React Server Function endpoints are not in use.
Has CVE-2025-55182 been exploited in the wild?
As of December 3, there have been no confirmed reports of in-the-wild exploitation for CVE-2025-55182. However, there are some unconfirmed reports of exploitation circulating. The RSO team is monitoring for further confirmation and will update this section accordingly.
Are patches or mitigations available for CVE-2025-55182?
Yes, the React Team published the following fixed versions of React Server Components:
| React Server Component | Fixed Versions |
|---|---|
| react-server-dom-parcel | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-turbopack | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-webpack | 19.0.1, 19.1.2, 19.2.1 |
The following are fixed versions of Next.js:
| Fixed Next.js versions |
|---|
| 15.0.5 |
| 15.1.9 |
| 15.2.6 |
| 15.3.6 |
| 15.4.8 |
| 15.5.7 |
| 16.0.7 |
For additional update instructions for React Router, Expo, Redwood SDK, Waku and others, please visit the React Team’s blog.
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Tenable Cloud Security customers can scan for the React2Shell vulnerability across your cloud workloads and docker images detected in your cloud environments:
Get more information
- React Team: Critical Security Vulnerability in React Server Components
- Next.js: Security Advisory: CVE-2025-66478
- Facebook Security Advisory: CVE-2025-55182
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
Exposure Management Vs. Siloed Security Tools: 4 Ways to Supercharge Your Strategy — and Your Career
Adding more tools to your vulnerability management program only adds noise and expense without solving your biggest challenges. With an exposure management platform, you can address your current needs without straining your budget — and boost your career by demonstrating your skills in the process…
Reinvigorating Federal Cybersecurity Post Shutdown: Tenable Supports the Cybersecurity Coalition’s Call to Action
The end of the U.S. federal shutdown is a pivotal moment to rebuild and accelerate national cybersecurity. Tenable supports the Cybersecurity Coalition's four-point plan for modernized defenses, renewed legislation, unified leadership, and revitalized collaboration.
Agentic AI Security: Keep Your Cyber Hygiene Failures from Becoming a Global Breach
The Claude Code weaponization reveals the true threat: The democratization and orchestration of existing attack capabilities. It proves that neglecting fundamental cyber hygiene allows malicious AI to execute massive-scale attacks with unprecedented speed and low skill.
- Exposure Management
- Tenable Vulnerability Management
- Vulnerability Management
Contact our sales team