Close Menu
    Subscribe
    Alerts

    React and Next.js Vulnerable to Critical (10.0) Remote Code Execution

    adminBy No Comments3 Mins Read


    React and Next.js Vulnerable to Critical (10.0) Remote Code Execution Vulnerability (CVE-2025-55182)

    This report is distributed as TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules.

    Disclaimer | CyberAlberta

    Summary

    On 3 December 2025, React disclosed the critical remote code execution (RCE) vulnerability CVE-2025-55182, also known as React2Shell, affecting multiple React Server Components (RCS) packages and the broader ecosystem of frameworks that rely on the React Flight protocol.

    On 4 December 2025, Amazon Web Services (AWS) Security reported China-nexus threat actors are actively exploiting CVE-2025-55182 using automated scanning tools and proof-of-concept (PoC) exploit code1 – code that demonstrates and verifies how a vulnerability can be exploited. 

    Details

    CVE-2025-55182 – Critical (10.0): A remote code execution (RCE) vulnerability affecting RCS packages. This vulnerability is an insecure deserialization flaw for decoding RCS Flight protocol requests. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to exposed React Server Function endpoints to achieve RCE.

    GreyNoise and Defused honeypots also observed exploitation attempts.23 CyberAlberta Threat Intelligence is aware of scanning tools to identify vulnerable packages and multiple PoC exploits. Initially, the publicly available PoC exploits were assessed to be inert.4 However, working PoC exploits—such as the exploit affecting Node.js version 16.0.65—are emerging. 

    Affected Products

    CVE-2025-55182 affects the following products:

    • Versions 19.0, 19.1.0. 19.1.1 and 19.2.0 of:
      • react-server-dom-webpack
      • react-server-dom-parcel
      • react-server-dom-turbopack
    • Versions 15.x, 16.x, 14.3.0-canary.77 (and later canary releases) of Next.js
    • Other frameworks that bundle the vulnerable packages include:
      • React Router (RSC mode)
      • Expo
      • Vite RSC plugin
      • Parcel RSC plugin
      • RedwoodSDK
      • Waku 

    Assessment 

    CyberAlberta Threat Intelligence assesses that active exploitation of CVE-2025-55182 is highly likely to continue and escalate as more threat actors adopt existing PoCs or develop new exploits. 

    Recommendations

    To defend exploitation of the reported vulnerabilities, it is recommended to:

    • Assess the codebase for any use of the vulnerable react-server-dom* packages.
    • Patch React systems to the latest versions: 19.0.16, 19.1.27, 19.2.18
    • Patch Next.js systems to the latest versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
    • Next.js have provided guidance on applying updates in their security advisory9:
      • If Next.js cannot currently be upgraded, it is recommended to downgrade to the latest stable 14.x release using the command: npm install next@14
    • Apply any available updates for other implicated frameworks:
      • Vite RSC plugin
      • Parcel RSC plugin
      • React Router RSC preview
      • Expo
      • RedwoodSDK
      • Waku
    • Hunt for anomalous activity:
      • Node spawning child processes for invoking payloads, e.g. cmd.exe or powershell.exe
      • Node spawning child processes for downloading payloads, e.g. curl, or wget
      • Node spawning child processes for enumeration, e.g. id, whoami, netstat, or uname 

    Indicators of Compromise (IOCs)

    The following table of Indicators of Compromise (IOCs) comprises of observations from GreyNoise,10 and AWS Security.11 

    http[:]//23.235.188[.]3:652/qMqSb 

    HTTP POST request headers to vulnerable endpoints 

    Anomalous elements in request bodies 

    “status”:”resolved_model 

    Table 1.  IOCs Characterizing Exploitation Attempts of React

    Further Detail

    References

    1. https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
    2. https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
    3. https://x.com/DefusedCyber/status/1996970968661594119
    4. https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/#:~:text=The%20GitHub%20security%20community%20has%20identified%20multiple%20PoCs%20that%20demonstrate%20fundamental%20misunderstandings%20of%20the%20vulnerability
    5. https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
    6. https://github.com/facebook/react/releases/tag/v19.0.1
    7. https://github.com/facebook/react/releases/tag/v19.1.2
    8. https://github.com/facebook/react/releases/tag/v19.2.1
    9. https://nextjs.org/blog/CVE-2025-66478#required-action
    10. https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far#:~:text=What%20we%20are%20observing%20in%20the%20initial%20POST%20request
    11. https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/#:~:text=Indicators%20of%20compromise



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.