A critical remote code execution vulnerability, CVE-2025-55182, in Meta's React Server Components has been actively exploited in the wild, leading to significant security breaches. The flaw, dubbed "React2Shell," affects versions 19.0.0 through 19.2.0 of the React Server Components, including packages like react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. This vulnerability, which has a maximum CVSS score of 10, allows for pre-authentication remote code execution due to unsafe deserialization of payloads.
The vulnerability was publicly disclosed on December 3, 2025, and within just over a day, attackers began exploiting it. The rapid exploitation underscores the critical nature of the flaw, which has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The vulnerability's exploitation potential is high, with an Exploit Prediction Scoring System (EPSS) score of 0.845, and a Proof-of-Concept (PoC) exploit is widely available, with over 450 instances circulating online.
In the wake of the disclosure, attackers have targeted over 766 Next.js hosts, successfully stealing credentials and compromising systems. The exploitation has been linked to ransomware attacks, with threat actors leveraging the vulnerability to deploy malicious payloads. Notably, China-nexus cyber threat groups have been identified as key actors in these attacks, rapidly exploiting the vulnerability to gain unauthorized access to systems.
The vulnerability's impact is extensive, threatening approximately 77,000 systems and over 30 organizations. The exploitation has not been limited to traditional IT environments; it has also affected smart home devices and crypto frontends, highlighting the broad attack surface exposed by this flaw.
Security experts have urged organizations using affected versions of React Server Components to apply patches immediately. Meta has released updates to mitigate the vulnerability, and organizations are advised to prioritize these updates to prevent further exploitation. Additionally, security teams should monitor for signs of compromise, such as unusual network traffic or unexpected system behavior, which may indicate an ongoing attack.
The urgency of patching is further emphasized by the vulnerability's inclusion in the KEV catalog, which mandates federal agencies to address the flaw by December 21, 2025. Organizations are also encouraged to implement additional security measures, such as web application firewalls and intrusion detection systems, to bolster defenses against potential exploitation.
As the cybersecurity community continues to respond to this critical threat, the React2Shell vulnerability serves as a stark reminder of the importance of timely patch management and proactive security measures in safeguarding digital assets.
CSURFACE