Critical RCE in React Server Components Exposes Applications Worldwide (CVE-2025-55182)
Executive Summary
In December 2025, a critical remote code execution (RCE) vulnerability—CVE-2025-55182—was discovered in the Flight protocol used by React Server Components. Rated CVSS 10.0, this flaw enabled unauthenticated attackers to craft malicious requests, resulting in the compromise of application servers running affected versions. Security researchers observed exploitation in the wild, with threat actors leveraging the flaw for lateral movement and potential data exfiltration. Organizations using Next.js and other frameworks integrating the vulnerable protocol faced heightened risk until urgent patches were issued. Immediate remediation efforts, threat monitoring, and network segmentation were necessary to mitigate the rapid spread.
This incident underscores the increasing threat posed by supply chain vulnerabilities in widely adopted developer ecosystems. The exploitation of core component flaws in popular open-source projects amplifies business risk, as attackers accelerate adoption of frontline vulnerabilities for larger-scale impact.
Why This Matters Now
The CVE-2025-55182 vulnerability enables complete server compromise via a simple network request, even without authentication. With widespread usage of React Server Components and related frameworks in critical production workloads, organizations are at high risk from rapid exploit adoption and possible regulatory scrutiny for exposed customer data if not remediated immediately.
Attack Path Analysis
Attackers exploited CVE-2025-55182, a critical RCE in React Server Components’ Flight protocol, to gain initial server access. Leveraging this foothold, they escalated privileges to expand their control, possibly abusing service or container permissions. Using compromised access, they moved laterally across internal cloud workloads or microservices. The adversaries established outbound command and control to maintain persistent access and issue commands. Next, sensitive data was exfiltrated through potentially covert outbound channels. Finally, attackers inflicted impact through actions like database manipulation, data corruption, or business disruption.
Kill Chain Progression
Initial Compromise
Description
Exploitation of the publicly exposed React Server Components’ Flight protocol via CVE-2025-55182 allowed unauthenticated remote code execution on the cloud service.
Related CVEs
CVE-2025-55182
CVSS 10An unauthenticated remote code execution vulnerability in React Server Components due to unsafe deserialization of HTTP request payloads.
Affected Products:
React react-server-dom-webpack – 19.0.0, 19.1.0, 19.1.1, 19.2.0
React react-server-dom-parcel – 19.0.0, 19.1.0, 19.1.1, 19.2.0
React react-server-dom-turbopack – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Next.js – 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.1.8, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 15.4.5, 15.4.6, 15.4.7, 15.5.0, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.5.6, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-55182https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentshttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/https://www.cmu.edu/iso/news/2025/react2shell-critical-vulnerability.html
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Server Software Component
Ingress Tool Transfer
Impair Defenses
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Web Applications
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management – Protection and Prevention
Control ID: Article 9(2)
CISA ZTMM 2.0 – Secure Code and Vulnerability Management
Control ID: Application/Workload Pillar - Secure Application Development
NIS2 Directive – Technical and Operational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Critical RCE vulnerability in React Server Components threatens web applications with CVSS 10.0 severity, requiring immediate patching and zero trust segmentation.
Financial Services
React-based financial platforms face severe data breach risks from CVE-2025-55182 exploitation, demanding enhanced egress security and compliance monitoring controls.
Health Care / Life Sciences
Healthcare web applications using React components vulnerable to remote code execution, risking HIPAA violations and requiring immediate threat detection implementation.
E-Learning
Educational platforms built on React frameworks exposed to critical vulnerability enabling data exfiltration and system compromise through Flight protocol exploitation.
Sources
- Exploitation of Critical Vulnerability in React Server Components (Updated December 12)https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/Verified
- Critical Security Vulnerability in React Server Componentshttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsVerified
- Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Componentshttps://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/Verified
- React2Shell Critical Vulnerability (CVE-2025-55182)https://www.cmu.edu/iso/news/2025/react2shell-critical-vulnerability.htmlVerified
- React2Shell RCE flaw exploited by Chinese hackers hours after disclosurehttps://www.techradar.com/pro/security/react2shell-rce-flaw-exploited-by-chinese-hackers-hours-after-disclosureVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, and inline policy enforcement would have significantly reduced adversary freedom after initial exploitation, preventing lateral movement, and limiting outbound exfiltration. Anomaly detection and egress controls further enhance layered defense by enabling rapid incident detection and containment.
Control: Inline IPS (Suricata)
Mitigation: Prevented or detected exploit attempts targeting the vulnerable service.
Control: Zero Trust Segmentation
Mitigation: Restricted inter-service abuse and limited privilege scope.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on suspicious outbound communications.
Control: Encrypted Traffic (HPE) & Multicloud Visibility & Control
Mitigation: Detected and restricted high-risk or unauthorized egress data flows.
Rapid detection of anomalous destructive behaviors enabled swift containment.
Impact at a Glance
Affected Business Functions
- Web Services
- E-commerce Platforms
- Content Management Systems
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user data, including personal information and payment details, due to unauthorized access facilitated by the vulnerability.
Recommended Actions
Key Takeaways & Next Steps
- • Patch CVE-2025-55182 in all affected React Server Components and enforce a rapid vulnerability management program.
- • Deploy Zero Trust Segmentation to enforce least-privilege, identity-driven network policies between application workloads and services.
- • Implement East-West Traffic Security and Inline IPS to monitor and block lateral movement and exploit attempts within cloud and Kubernetes environments.
- • Establish comprehensive Egress Policy Enforcement and encrypted traffic visibility to prevent data exfiltration and block unauthorized outbound C2 traffic.
- • Enhance Threat Detection & Anomaly Response capabilities to detect, alert, and rapidly contain suspicious or destructive activities across the environment.
