A maximum-severity threat has emerged in React Server Components. CVE-2025-55182, rated CVSS 10.0, allows unauthenticated attackers to execute arbitrary code on vulnerable web servers. Trend Micro, AWS, and security researchers confirm that China-nexus threat actors are actively exploiting this vulnerability within hours of public disclosure, putting thousands of applications at immediate risk.
🔥 Quick Facts
- Vulnerability ID: CVE-2025-55182 (also called React2Shell)
- Severity Rating: CVSS 10.0 (maximum possible severity)
- Disclosure Date: December 3, 2025
- Status: Actively exploited by threat actors as of December 5, 2025
Understanding the React2Shell Vulnerability
TurboTax Expert Full Service opens January 5, 2026, and what new tax law changes mean for your refund will surprise you
Intel stock soars 4% at open with analyst predicting $50 target, here’s why Panther Lake launch today changes everything
The vulnerability stems from insecure deserialization in React Server Components. Attackers craft malicious HTTP requests that exploit how React processes and deserializes incoming payloads. The flaw allows unauthenticated remote code execution on any server running vulnerable React versions.
Affected versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0. Applications don’t need to explicitly use React Server Functions to be vulnerable. Simply supporting React Server Components makes an application susceptible to exploitation.
Active Exploitation by China-Nexus Groups
Samsung Galaxy S26 Ultra drops at $1,299 but kept one jaw-dropping feature completely secret until February 25
CES 2026 unveils $99 AI memory wearable and smart glasses that finally look normal, but Samsung’s 6K 3D display will blow your mind
AWS threat intelligence teams observed China-nexus cyber threat groups launching attacks within hours of the vulnerability’s public disclosure. Two specific threat actors, Earth Lamia and Jackpot Panda, rapidly integrated public exploits into their attack infrastructure.
Security researchers note this represents a systematic approach where threat actors monitor vulnerability disclosures and immediately weaponize them. The exploitation efforts demonstrate how quickly nation-state actors can mobilize against critical infrastructure.
Technical Details and Attack Vector
| Aspect | Details |
| Attack Type | Unauthenticated Remote Code Execution (RCE) |
| Required Authentication | None required – vulnerability is pre-authentication |
| Root Cause | Insecure deserialization in Flight protocol |
| Attack Vector | Specially crafted HTTP POST request to RSC endpoints |
| Impact | Arbitrary code execution, data theft, lateral movement |
Millions of Web Applications at Risk
Security researchers estimate approximately 40% of cloud environments using React contain vulnerable configurations. Organizations building with Next.js, React Router, or any framework using React Server Components face exposure.
The Flight protocol used by React Server Components affects not only React but also downstream frameworks and bundlers. This cascading impact means vulnerability extends far beyond applications explicitly coded with React 19.
What Should Organizations Do Now?
Security experts strongly recommend immediate patching of all React deployments. The React team released updates addressing the vulnerability. Google Cloud, AWS, and Cisco have all issued urgent security advisories guiding enterprises through remediation steps.
Organizations should treat this as a critical incident response priority. Since public exploits are now available and active exploitation is confirmed, every hour of delay increases incident risk. IT teams must prioritize patching React Server Components and related frameworks across their entire infrastructure.
Lee Ann Anderson is a technology journalist specializing in consumer tech, digital innovation, and Silicon Valley trends. With a talent for breaking down complex technical concepts into accessible insights, this skilled journalist keeps readers informed about the gadgets, apps, and breakthroughs shaping our digital future. Her coverage bridges the gap between tech enthusiasts and everyday users.