Critical Alert: React2Shell (CVE-2025-55182) – What You Need to Know

A critical vulnerability (RCE) dubbed "React2Shell" (CVE-2025-55182) has been discovered and could affect applications using React Server Components (RSC), including Next.js and other frameworks. This flaw allows unauthenticated attackers to execute arbitrary code on affected servers, and active exploitation has been observed. This flaw enables unauthenticated remote code execution (RCE), making it one of the most severe threats to React-based applications.

Why This Matters

React powers millions of web applications globally. Exploiting React2Shell allows attackers to execute arbitrary code on vulnerable servers without authentication, potentially leading to data breaches, service disruption, and full system compromise.

Impact of Vulnerability

• Severity: CVE ID: CVE-2025-55182 (CVSS score of 10.0, maximum severity).
• Nature: An insecure deserialization flaw within React's "Flight" protocol, which handles communication between server and client components.
• Impact: An attacker can send a single, specially crafted HTTP request to a vulnerable endpoint to gain full control of the server without authentication. This can lead to infrastructure compromise, data theft, and installation of malware.
• Exploitation: Public proof-of-concept (PoC) exploits are available and are being used in active attacks, some linked to known threat groups.
• Affected Systems: The vulnerability impacts the default configuration of many modern web applications, particularly those using the Next.js App Router.
• Attack Vector: Remote, unauthenticated.
• Risk: Complete takeover of application servers.

Affected Versions

Organizations using affected software should prioritize immediate patching. The vulnerability primarily affects specific versions of React Server Component packages and frameworks that bundle them:

• React Server Components packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack versions 19.0.0 through 19.2.0 are vulnerable.
• Next.js: Versions using the App Router, including the 15.x and 16.x stable releases, and specific 14.x canary builds cited Versions.

Scan Detection and Mitigation

HCL AppScan continues to deliver rapid, proactive security updates to protect your applications against emerging threats. Our Software Composition Analysis (SCA) solution already detects React2Shell, enabling you to identify vulnerable dependencies immediately. We’re moving fast—our Dynamic Application Security Testing (DAST) product has a recent update to the “Vulnerable Component” Database that can now detect the React2Shell zero-day vulnerability (CVE-2025-55182). Update your vulnerable component database to version 1.9 immediately to close this critical security gap.

Recommended Actions

1. Update React to the patched version immediately.
2. Scan your applications using HCL AppScan SCA to identify vulnerable components.
3. Apply WAF rules and monitor for suspicious activity until patches are deployed.

Learn More

• HCL AppScan SCA
• CVE Notification Posting
• AWS Blog React2Shell
• Trend Micro Article - React2Shell 

Stay ahead of threats with HCL AppScan — detect, prioritize, and remediate vulnerabilities before attackers exploit them.