## https://sploitus.com/exploit?id=D6099C25-1141-56E6-8EF9-3CFD8897013F
# CVE-2025-55182 - React2Shell
> Pre-authentication RCE in React Server Components.
## Summary of the CVE
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
## Affected Versions
- React Server Components packages `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Frameworks and bundlers that include or depend on those vulnerable packages, including Next.js, React Router, Waku, Parcel RSC, Vite RSC plugin, and RedwoodSDK
- Next.js App Router applications on 15.x, 16.x, and 14.3.0-canary.77 or later canary releases
## References
- [React Security Advisory - The React Team, Dec 3 2025](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)
- [NVD - CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)
- [Github POC - Maximilian Sanft, Dec 2025](https://github.com/msanft/CVE-2025-55182)
- [React2Shell Scanner - Assetnote, Dec 2025](https://github.com/assetnote/react2shell-scanner)
- [Public Docker PoC lab - l4rm4nd, Dec 2025](https://github.com/l4rm4nd/CVE-2025-55182)
- [Docker vulnerable lab notes - Arul Kumar, Dec 5 2025](https://arulkumar.in/posts/react2shell-cve-2025-55182-docker-vulnerable-lab/)
- [CVE-details - CVSS Score 10.0](https://www.cvedetails.com/cve/CVE-2025-55182)