Aggregator

You must login to view this content

A maximum severity vulnerability (CVSS 10) was discovered in React, one of the most popular JavaScript frameworks. If your app supports React Server Components, you are likely vulnerable out of the box, even if you aren’t using Server Functions explicitly. Patch immediately.

Update December 5: This FAQ blog has been updated to note the release of an official proof-of-concept from Lachlan Davidson and reports of attempted exploitation in the wild.

Update December 5: This FAQ blog has been updated to note the release of an official proof-of-concept from Lachlan Davidson and reports of attempted exploitation in the wild.

Update December 4: This FAQ blog has been updated to include a reference to the official react2shell website, confirmation that a public proof-of-concept exists, and a CVE reference change in our Next.js plugin.

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding React2Shell, a critical vulnerability in React Server Components.

What is the React Server Component (RSC) vulnerability?

On December 3, 2025, the React Team published a blog post regarding a critical vulnerability affecting React Server Components.

What is the vulnerability that was disclosed to the React Team?

The React Team confirmed the presence of one critical vulnerability:

This vulnerability was disclosed to the React Team by Lachlan Davidson on November 29, 2025. Davidson has since created a website called react2shell.com.

What is CVE-2025-55182?

CVE-2025-55182 is an unsafe deserialization vulnerability in RSC. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted payload to a vulnerable React Server Function endpoint. Successful exploitation could result in remote code execution on the server.

Are we still vulnerable if our app doesn’t use React Server Functions endpoints?

Potentially. According to the React Team, even if React Server Functions are not in-use, the vulnerability is still exploitable if React Server Components are supported.

What is React2Shell?

“React2Shell” is the name given to CVE-2025-55182, a nod to the Log4Shell vulnerability.

Logo created by Tenable Research Special Operations, inspired by the iconic Log4Shell logo.

Is there a proof-of-concept (PoC) available for this vulnerability?

At the time this blog post was published on December 3, there were no confirmed public PoC exploits for CVE-2025-55182 that work against default configurations. However, on December 4, a working proof-of-concept was made public. Lachlan Davidson also published an official proof-of-concept on December 4.

What React Server Components are vulnerable?

The following components have been confirmed to be vulnerable:

However, other frameworks that bundle React are impacted as well including Next.js, React Router, Expo, Redwood SDK, Waku and more.

Did Next.js publish their own advisory and CVE?

Yes, the Next.js team published a security advisory and their own CVE, CVE-2025-66478. However, the National Vulnerability Database (NVD) rejected this CVE as a duplicate of CVE-2025-55182.

What Next.js versions are affected?

Affected versions of Next.js that use the App Router are vulnerable, including:

How severe is this vulnerability?

It has the potential to be very severe. In 2024, according to the State of JavaScript, an annual developer survey of the JavaScript ecosystem, React was used by 82% of respondents.

What adds to the elevated severity is the fact that exploitation can occur in apps that support React Server Components, even if the React Server Function endpoints are not in use.

Has CVE-2025-55182 been exploited in the wild?

On December 4, Amazon Threat Intelligence published a blog post linking exploitation attempts of React2Shell to China state-nexus threat groups leveraging public exploits "within hours."

It is important to note the PoCs used in these exploitation attempts required specific configurations. However, now that public PoC exploits against default configurations are available, we anticipate an escalation of exploitation by threat actors, ransomware affiliates and opportunistic cybercriminals.

Are patches or mitigations available for CVE-2025-55182?

Yes, the React Team published the following fixed versions of React Server Components:

The following are fixed versions of Next.js:

For additional update instructions for React Router, Expo, Redwood SDK, Waku and others, please visit the React Team’s blog.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for this vulnerability can be found on the individual CVE page as they’re released:

• CVE-2025-55182

This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Update: We originally linked our Next.js version check plugin to CVE-2025-66478. However, because NVD rejected this CVE as a duplicate, we have updated the plugin to reference the original React CVE, CVE-2025-55182.

Tenable Cloud Security customers can scan for the React2Shell vulnerability across your cloud workloads and docker images detected in your cloud environments:

• React Team: Critical Security Vulnerability in React Server Components
• Next.js: Security Advisory: CVE-2025-66478
• Facebook Security Advisory: CVE-2025-55182

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.