Critical ‘React2Shell’ Vulnerability Exposes React.js
▼ Summary
– A critical remote code execution vulnerability, CVE-2025-55182 (React2Shell), has been identified in React.js, receiving the maximum severity rating of 10.0.
– The flaw affects the server-side use of React.js and Next.js, allowing unauthenticated attackers to run arbitrary code and control victim servers via a simple HTTP request.
– Exploitation is highly likely, with a near 100% success rate in default configurations, and a working proof-of-concept has been publicly verified.
– Security teams must immediately upgrade vulnerable React.js packages to fixed versions (19.0.1, 19.1.2, or 19.2.1) to remediate the issue.
– Next.js applications are also vulnerable, and a mitigation option involves migrating from the App Router back to the Pages Router if possible.
A critical security flaw in the widely used React.js library, known as React2Shell, has been disclosed, posing a severe risk of remote code execution on affected servers. This vulnerability, officially designated as CVE-2025-55182, carries the highest possible severity score of 10.0. It specifically impacts the server-side implementation of React and shares alarming similarities with the infamous Log4Shell vulnerability from 2021 in terms of its potential impact. The discovery was made public by security researcher Lachlan Davidson, who reported it to Meta’s development team.
The issue stems from a fundamental problem within the framework’s core deserialization logic, making it exploitable in a broad range of common configurations. Successful exploitation of React2Shell could provide an attacker with the ability to run arbitrary code and assume control of the victim server. This level of access could lead to a complete compromise of sensitive data and system integrity. According to Ari Eitan, director of cloud security research at Tenable, the widespread adoption of React and Next.js, combined with the simplicity of the attack, makes this bug particularly dangerous. “Exploitation is incredibly simple and can be achieved without authentication,” Eitan noted, adding that a single malicious HTTP request is often sufficient to trigger the remote code execution.
The vulnerability affects React servers utilizing React Server Function endpoints. Furthermore, the popular Next.js framework, which builds upon React, is also vulnerable in its default state. The Next.js team initially issued its own advisory and CVE (CVE-2025-66478), but the US National Vulnerability Database later classified it as a duplicate of the primary React flaw. Researchers from JFrog have indicated that the exploitation success rate in default setups is nearly 100%, underscoring the urgent need for remediation.
While it remains unclear how widespread active attacks are, the public disclosure has significantly increased the risk. Security firm OX Security confirmed on December 5th that a functional proof-of-concept (PoC) exploit had been published and verified, moving the threat from theoretical to actively exploitable. JFrog warned that fake proof-of-concepts (PoC) on GitHub are known to contain malicious code. They advise security teams to exercise extreme caution and verify sources thoroughly before attempting any testing on their own systems.
To address CVE-2025-55182, organizations must immediately upgrade any vulnerable React packages. The affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0. The React team has released patched versions 19.0.1, 19.1.2, and 19.2.1 to resolve the issue. For applications built with Next.js, upgrading to a patched version is the primary recommendation. In specific cases where the App Router feature is not essential, an alternative mitigation involves migrating the application back to using the older Pages Router by following the official Next.js migration guide. Given the critical nature of this flaw, applying these updates is a non-negotiable priority for any development or security team using these technologies.
(Source: Info Security)
