BD Emerson joins
Andersen Consulting
as a Collaborating Firm

READ THE PRESS RELEASE

Home

Consulting Services

Audit Services

Industries

Cases

About

Clients

Blog

Trust center

Contact

OfficesGet a quoteEmail us
LinkedIn
In this article:
Heading

CVE-2025-55182, also known as React2Shell, is a critical CVSS 10.0 remote code execution (RCE) vulnerability affecting applications that rely on React Server Components (RSC). If your application supports RSC, even indirectly through frameworks like Next.js, you are likely exposed and should patch immediately.

Understanding the Context Behind CVE-2025-55182

On December 3, 2025, the React Team publicly confirmed a severe server-side vulnerability in RSC following a disclosure by security researcher Lachlan Davidson on November 29, 2025. Davidson’s findings prompted the creation of React2Shell.com, highlighting the ease with which attackers can exploit the flaw.

Because RSCs are automatically enabled in many modern React frameworks, organizations may be vulnerable even if they do not explicitly use server functions. This is especially dangerous for companies running default configurations or recently upgraded versions of React.

What Is CVE-2025-55182?

CVE-2025-55182 is a pre-authentication RCE vulnerability that allows attackers to run arbitrary code on a server without logging in. The issue stems from insecure deserialization of untrusted data in Server Function endpoints. By sending specially crafted HTTP requests, an attacker can exploit this weakness to execute code, gain control of the server, and potentially pivot deeper into the environment.

Any framework that bundles the react-server implementation is likely impacted.

Affected Components and Versions

Component Vulnerable Versions
react-server-dom-parcel 19.0, 19.1.0, 19.1.1, 19.2.0
react-server-dom-turbopack 19.0, 19.1.0, 19.1.1, 19.2.0
react-server-dom-webpack 19.0, 19.1.0, 19.1.1, 19.2.0

Likely Affected Frameworks

  • Next.js (15.x, 16.x)
  • React Router with RSC APIs
  • Expo
    Redwood SDK
  • Waku
  • Vite and Parcel plugins

React was originally designed for client-side execution. Because server-side React is relatively new, many organizations are still unfamiliar with how RSCs behave or even the risks they introduce. As a result, default settings alone may put your applications at risk.

Immediate Remediation Steps for CVE-2025-55182

If your systems are running any of the impacted versions, remediation should begin immediately. BD Emerson’s security engineers are available to help teams validate exposure, implement controls, and apply the necessary patches.

1. Upgrade React and Dependencies

Update to the patched versions as soon as possible:

  • React: 19.0.1+, 19.1.2+, or 19.2.1+

  • Next.js: 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, or 16.0.7+

React’s official blog provides detailed upgrade instructions for frameworks and toolchains that use RSC, including React Router, Expo, Redwood, Waku, and others.

2. Implement Temporary Controls if Patching Is Delayed

If your team cannot patch immediately, deploy compensating controls to reduce the risk of exploitation:

  • Deploy WAF rules to block malicious serialization payloads before they reach your application.
  • Tighten network egress controls to prevent reverse shells, reducing an attacker’s ability to establish outbound connections.
  • Enable comprehensive logging across all Server Function invocations to detect anomalies early and respond faster.

These controls are not substitutes for patching but can significantly reduce your exposure window.

3. Strengthen Your Long-Term Security Protocols

CVE-2025-55182 is a reminder of the risks introduced by complex serialization and server-side frameworks. Build long-term resilience by:

  • Running Node.js processes with minimal privileges to limit escalation pathways.
  • Using container isolation with restricted capabilities so attackers cannot break out of the runtime environment.
  • Leveraging Runtime Application Self-Protection (RASP) to block suspicious behavior from inside the application.
  • Regularly scanning and patching JavaScript dependencies to eliminate known vulnerabilities before attackers exploit them.

The Impact of CVE-2025-55182 So Far

This vulnerability is already being exploited in the wild. Key developments include:

  • Amazon Threat Intelligence reported exploitation tied to China state-nexus threat actors within 24 hours of disclosure.
  • A public Proof-of-Concept (PoC) was released by Davidson on December 4.
  • Earlier exploitation attempts required certain configurations, but new PoCs work against default setups, increasing the likelihood of widespread attacks.
  • Companies in financial services, technology, and e-commerce have already observed reconnaissance and attempted exploitation.

Given the critical severity and the speed at which attacker activity is increasing, organizations should treat this as a high-priority incident requiring immediate action.

Protect Your React Applications Today

BD Emerson’s security experts are actively helping organizations assess exposure, patch vulnerable systems, and deploy compensating controls for CVE-2025-55182. If your applications rely on React, Next.js, or any RSC-enabled framework, time is critical.

Contact BD Emerson today for a rapid assessment

CVE-2025-55182 (React2Shell): What You Need to Know About the React Server Component Vulnerability

About the author

Name

Danielle Mason

Role

Marketing Manager

About

As Marketing Manager at BD Emerson, Danielle drives revenue growth through strategic marketing initiatives that amplify brand visibility, attract high-value clients, and strengthen partnerships. She oversees the planning, research, and creation of compelling content—including blog articles, social media campaigns, website optimization, and digital/print collateral—that not only engage audiences but also convert leads into long-term clients.

Contact us

FAQs

Is my application vulnerable if I don’t use Server Functions?

Yes. Many frameworks enable React Server Components by default. Even if you don’t explicitly use RSC features, the vulnerable code may still be present.

Does this affect client-only React apps?

Pure client-side React applications are not affected; however, full-stack apps using RSC (e.g., Next.js App Router) are.

How hard is this vulnerability to exploit?

With public PoCs now available, exploitation requires minimal expertise, which makes it extremely dangerous.

Can I rely on firewall rules alone as a fix?

No. WAF rules may reduce risk temporarily, but they cannot replace patching or addressing the underlying deserialization flaw.

Do I need to update dependencies beyond React and Next.js?

Yes. Any tooling, plugins, or frameworks that bundle the RSC runtime must be updated as well.

How can BD Emerson help?

We offer:

  • Vulnerability exposure assessments
  • Patch and configuration guidance
  • Threat monitoring
  • Long-term application and cloud security programs

You may like

We strive to deliver high-quality articles and news

Business-IT Alignment: 5 Steps to Bridge the Gap

Business-IT Alignment: 5 Steps to Bridge the Gap

A practical guide to business-IT alignment, explaining what it is and how organizations can bridge the gap between technology and strategy through five essential steps.

Read

A Guide to System Security Plans (SSP) for NIST SP 800-171, Rev. 2 & CMMC

A Guide to System Security Plans (SSP) for NIST SP 800-171, Rev. 2 & CMMC

Learn what a System Security Plan (SSP) is, why it’s vital for CMMC and NIST 800-171 compliance, and how to build a complete, audit-ready SSP.

Read

ISO/IEC 42001 AI Security Implementation Guide

ISO/IEC 42001 AI Security Implementation Guide

SO/IEC 42001 is the first global AI management standard. This guide explains its security requirements, controls, and implementation steps to help organizations achieve compliance and trust.

Read

All articles

HomeConsulting ServicesAudit ServicesIndustriesCase Studies
AboutBlogClientsTrust centerContact

© 2024 BD Emerson

Privacy PolicyTerms of Service
Website made by Foursets