CVE-2025-55182"React2Shell"React Server Components RCE
Unauthenticated Remote Code Execution — Log4Shell-level severity
Weaponized by Chinese APT groups within 6 hours of disclosure
Active State-Sponsored Exploitation
Chinese APT groups weaponized this vulnerability within hours of public disclosure
Threat Intelligence
Real-world exploitation observed by AWS and major security firms
Known Threat Actors
Official Sources
How Bad Is This?
Comparing CVE-2025-55182 to the most infamous vulnerabilities in recent history
This is Log4Shell-level bad
Maximum CVSS score, unauthenticated RCE, and faster weaponization than Log4Shell. State actors exploited it in under 6 hours — the fastest we've seen for a JavaScript vulnerability.
How the Attack Works
CVE-2025-55182 exploits a flaw in how React Server Components decode incoming payloads, allowing attackers to execute arbitrary code on your server without any authentication.
Payload Construction
Attacker crafts a malicious RSC payload containing serialized JavaScript code
Server Processing
The payload is sent to a React Server Function endpoint for processing
Unsafe Decoding
React's payload decoder unsafely deserializes the malicious content
Remote Code Execution
Arbitrary code executes on the server with full system privileges
Technical Details
Affected Packages & Frameworks
Check if your project uses any of the vulnerable versions below
React Packages
Affected Frameworks
Vulnerable vs Patched Code
A simplified comparison showing the core vulnerability and how it was fixed
// Vulnerable payload decoding in react-server-dom-*
// This is a simplified representation of the vulnerability
function decodePayload(payload) {
// ❌ VULNERABLE: Unsafely deserializes incoming data
// The decoder doesn't properly validate the payload structure
// before processing serialized function references
const decoded = parseRSCPayload(payload);
// Attacker can inject malicious code through
// specially crafted server function references
if (decoded.type === 'function') {
// This executes attacker-controlled code!
return eval(decoded.body); // RCE vulnerability
}
return decoded;
}
// Attack payload example (DO NOT USE)
const maliciousPayload = {
type: 'function',
body: 'require("child_process").execSync("whoami")'
};// Patched payload decoding in react-server-dom-*
// Fixed versions: 19.0.1, 19.1.2, 19.2.1
function decodePayload(payload) {
// ✅ PATCHED: Validates payload structure before processing
const decoded = parseRSCPayload(payload);
// Strict validation of function references
if (decoded.type === 'function') {
// Verify function is in the allowed manifest
if (!isRegisteredServerFunction(decoded.id)) {
throw new SecurityError(
'Invalid server function reference'
);
}
// Only call pre-registered, validated functions
return registeredFunctions.get(decoded.id);
}
return decoded;
}
// Server functions must be explicitly registered
// during build time - no dynamic execution allowedKey Security Changes
- Strict validation of all incoming payload structures
- Server functions must be pre-registered during build time
- No dynamic code execution from untrusted payloads
- Function references verified against allowed manifest
Attack Demonstration
See how an attacker can exploit CVE-2025-55182 to gain complete server access
$ cat malicious_payload.json
{
"type": "server_function",
"id": "__malicious__",
"args": [],
"$$typeof": "react.server.reference",
"body": "process.mainModule.require('child_process').execSync('id')"
}Impact Assessment
This vulnerability allows complete server takeover without any authentication. Attackers can steal sensitive data, modify databases, pivot to internal networks, and maintain persistent access to your infrastructure.
Live API Demo
Test the vulnerability against simulated vulnerable and patched endpoints
Select Exploit Payload
POST /api/demo/[endpoint]
Content-Type: application/json
{
"type": "rsc_payload",
"payload": {
"exploit": "whoami"
}
}Disclosure Timeline
Key events in the discovery and resolution of CVE-2025-55182
Vulnerability Discovered
Security researchers identify a critical deserialization flaw in React Server Components payload handling.
CVE Assigned
CVE-2025-55182 is assigned with a CVSS score of 10.0 (Critical). React team begins emergency patch development.
Patches Released
React releases patched versions 19.0.1, 19.1.2, and 19.2.1 for all affected packages.
Public Disclosure
React team publishes official security advisory. All users urged to update immediately.
Mitigation Steps
Follow these steps immediately to protect your application from CVE-2025-55182
Identify Affected Packages
Check if your project uses react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel in vulnerable versions (19.0.0, 19.1.0, 19.1.1, 19.2.0).
Update to Patched Versions
Upgrade affected packages to version 19.0.1, 19.1.2, or 19.2.1 depending on your current version track.
Rebuild & Redeploy
After updating, rebuild your application and redeploy to all environments immediately.
Audit & Monitor
Review logs for suspicious activity and implement additional security monitoring for RSC endpoints.
Quick Update Commands
# Update react-server-dom-webpack
npm update react-server-dom-webpack@19.2.1
# Update react-server-dom-turbopack
npm update react-server-dom-turbopack@19.2.1
# Update react-server-dom-parcel
npm update react-server-dom-parcel@19.2.1
# Verify versions
npm list | grep react-server-domSpread the Word
Help other developers learn about this critical vulnerability