## https://sploitus.com/exploit?id=80847AD0-3E2B-50B5-B830-54BAC603AD60
📌 CVE-2025-55182 — React2Shell
Critical Unauthenticated Remote Code Execution (RCE) in React Server Components
📖 Overview
CVE-2025-55182, informally dubbed React2Shell, is a critical remote code execution (RCE) vulnerability disclosed on December 3, 2025 in React Server Components (RSC) and related packages. The flaw allows an unauthenticated attacker to execute arbitrary code on vulnerable servers by sending a specially crafted HTTP request that is improperly deserialized by the server.
nvd.nist.gov
+1
This issue has the highest severity score (CVSS 10.0 / 9.x) and has been actively exploited in the wild by multiple threat actors, including state-linked groups and opportunistic malware campaigns.
Google Cloud
+1
🧠 Affected Software
The vulnerability impacts React Server Components and frameworks that incorporate them:
Technology Affected Versions
React RSC 19.0.0, 19.1.0, 19.1.1, 19.2.0
Next.js 14.x Canary, 15.x, 16.x (unpatched prior releases)
Packages react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
⚠️ Description
React2Shell arises from unsafe deserialization of untrusted data in the React “Flight” protocol, which is used to communicate between clients and server components. When malicious payloads are deserialized without proper validation, they can manipulate internal object structures (such as prototypes) and lead to execution of attacker-controlled code on the server process.
Tarlogic Security
+1
This allows attackers to:
Achieve remote code execution (RCE) without authentication.
Execute commands with the web server’s privileges.
Potentially deploy backdoors, web shells, cryptominers, or pivot into internal networks