Executive Summary
In December 2025, a maximum-severity vulnerability (CVE-2025-55182), codenamed React2shell, was uncovered in React Server Components (RSC), impacting platforms like React and Next.js. The flaw enables unauthenticated remote code execution (RCE) by exploiting how React decodes certain payloads sent to its server components. If left unpatched, attackers can execute arbitrary code on vulnerable servers, leading to full system compromise and severe business disruption. The incident highlights the critical impact of supply chain vulnerabilities in widely-used open-source frameworks and the elevated risk for businesses relying on modern web development stacks.
The discovery of React2shell has triggered urgent patch advisories, as similar RCE vulnerabilities in web frameworks have seen rapid weaponization by threat actors. With increasing regulatory expectations for timely patch management and growing attacker focus on open-source component supply chains, this incident reinforces the need for continuous application security monitoring and robust SDLC controls.
Why This Matters Now
This vulnerability allows attackers to take over servers running unpatched versions of React and Next.js, posing an immediate threat to critical web infrastructure across industries. With widespread adoption of these frameworks and active exploit attempts observed in the wild, organizations face heightened exposure, making urgent patching and comprehensive application security controls essential right now.
Attack Path Analysis
The attacker exploited a critical remote code execution vulnerability (CVE-2025-55182) in exposed React Server Components to gain unauthenticated access to targeted cloud workloads. Gaining initial foothold, they escalated privileges by executing arbitrary commands and possibly modifying access policies or credentials within the workload. The attacker then attempted lateral movement within the cloud or Kubernetes environment to reach additional sensitive systems or data stores. A persistent command-and-control channel was established to maintain control and receive instructions. Sensitive data was then exfiltrated via outbound network channels or application APIs. Ultimately, the attacker could disrupt operations, deploy ransomware, or manipulate the integrity and availability of cloud resources.
Kill Chain Progression
Initial Compromise
Description
Exploited the RSC remote code execution vulnerability (React2shell, CVE-2025-55182) against internet-exposed React/Next.js workloads to gain initial unauthenticated access.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 allows unauthenticated attackers to execute arbitrary code by exploiting unsafe deserialization of payloads in Server Function endpoints.
Affected Products:
Facebook, Inc. React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.0.0 to 15.0.4, 15.1.0 to 15.1.8, 15.2.0 to 15.2.5, 15.3.0 to 15.3.5, 15.4.0 to 15.4.7, 15.5.0 to 15.5.6, 15.6.0
Exploit Status:
exploited in the wildCVE-2025-55183
CVSS 7.5An information leak vulnerability in React Server Components versions 19.0.0 through 19.2.1 allows attackers to retrieve the source code of Server Functions by sending specially crafted HTTP requests.
Affected Products:
Facebook, Inc. React Server Components – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
proof of conceptCVE-2025-55184
CVSS 7.5A pre-authentication denial of service vulnerability in React Server Components versions 19.0.0 through 19.2.1 allows attackers to cause an infinite loop, hanging the server process and preventing future HTTP requests from being served.
Affected Products:
Facebook, Inc. React Server Components – 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1
Exploit Status:
proof of conceptCVE-2025-67489
CVSS 9.8A remote code execution vulnerability in @vitejs/plugin-rs versions 0.5.5 and below allows attackers with network access to the development server to execute arbitrary code through unsafe dynamic imports in server function APIs.
Affected Products:
Vite @vitejs/plugin-rs – 0.5.5 and below
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Client Execution
Valid Accounts
Exploitation for Privilege Escalation
Ingress Tool Transfer
Exploitation for Defense Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Program
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
NIS2 Directive – Minimum Cybersecurity Risk-Management Measures
Control ID: Article 21
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Application Threat Protection
Control ID: Application Workload Pillar - Protections
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical RSC vulnerability enables unauthenticated remote code execution in React/Next.js applications, requiring immediate patching and enhanced application security controls.
Financial Services
React-based financial platforms face maximum-severity RCE exposure, threatening transaction systems and requiring compliance with PCI and zero trust segmentation policies.
Health Care / Life Sciences
Healthcare applications using React components vulnerable to remote code execution, compromising patient data and violating HIPAA encryption requirements.
E-Learning
Educational platforms built on React/Next.js exposed to unauthenticated attacks, threatening student data and requiring enhanced egress security and anomaly detection.
Sources
- Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Executionhttps://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.htmlVerified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- Meta React Server Components Remote Code Execution Vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182Verified
- China Nexus Cyber Threat Groups Rapidly Exploit React2shell Vulnerability CVE-2025-55182https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing layered CNSF and Zero Trust controls—such as segmentation, east-west traffic inspection, egress filtering, and inline threat detection—would have significantly contained attacker movement, prevented lateral spread, and swiftly alerted to anomalous behaviors throughout the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Direct exploitation attempts would have been blocked at the cloud perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalation activity is detected and alerted in real-time.
Control: Zero Trust Segmentation
Mitigation: Lateral movement between workloads or namespaces is blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious outbound connections are detected and blocked.
Control: Inline IPS (Suricata)
Mitigation: Known exfiltration and data theft signatures are identified and contained.
Swift detection of widespread malicious actions enables rapid isolation and containment.
Impact at a Glance
Affected Business Functions
- Web Application Services
- Customer Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data, including personal information and authentication credentials, due to unauthorized access facilitated by the vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Restrict external access to critical cloud workloads using cloud-native firewalls and least privilege policies.
- • Implement proactive east-west segmentation to contain potential lateral movement after initial compromise.
- • Enforce strict egress controls with domain and protocol filtering to block outbound C2 and data exfiltration paths.
- • Deploy inline threat detection and response systems that alert on privilege escalation and anomalous behaviors in real-time.
- • Maintain centralized visibility into multicloud environments for rapid threat hunting, response, and impact mitigation.
