Exploit for Deserialization of Untrusted Data in Facebook React CVE-2025-55182

Name: Exploit for Deserialization of Untrusted Data in Facebook React CVE-2025-55182
Rating: 5 (3 reviews)
2026-06-16 | CVSS 10.0
## https://sploitus.com/exploit?id=5773EA35-AE6F-5F32-8C58-AE355FF2E15B
# CVE-2025-55182 — React2Shell

Critical pre-authentication Remote Code Execution vulnerability in React Server Components (RSC), Next.js, and related frameworks.

## Details

| Field | Value |
|---|---|
| CVE ID | CVE-2025-55182 |
| Also known as | React2Shell, CVE-2025-66478 |
| CVSS Score | 10.0 (Critical) |
| Type | Pre-authentication RCE |
| Affected | React 19.0–19.2.0, Next.js (multiple versions) |
| Disclosed | December 3, 2025 |
| Patch | React 19.0.1, 19.1.2, 19.2.1 / Next.js 14.2.35+ |

## Description

React Server Components deserializes incoming HTTP POST request payloads without adequate security validation. An unauthenticated attacker can send a single crafted HTTP request containing a malicious serialized object. The backend deserializes and executes the attacker-provided payload under the Node.js runtime, resulting in full server compromise.

## Affected Versions

- `react-server-dom-webpack` < 19.0.1, < 19.1.2, < 19.2.1
- `react-server-dom-parcel` < 19.0.1, < 19.1.2, < 19.2.1
- `react-server-dom-turbopack` < 19.0.1, < 19.1.2, < 19.2.1
- Next.js < 14.2.35 (13.x), < 15.x patched versions

## Proof of Concept

See [`poc.py`](./poc.py) for vulnerability detection.

```bash
python3 poc.py --target https://target.com
```

## Mitigation

Upgrade to patched versions immediately:

```bash
npm install next@14.2.35
# or for React 19
npm install react@19.2.1 react-dom@19.2.1
```

If patching is not immediately possible:
- Disable Server Functions
- Deploy WAF rules to block malicious RSC flight payloads

## References

- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://vulners.com/cve/CVE-2025-55182
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182

## Disclaimer

This repository is for educational and authorized security research purposes only. Do not use against systems you do not own or have explicit permission to test.

---

**Author:** [SentinelX](https://github.com/SentinelXofficial) · [Telegram](https://t.me/SentinelXsecurity)