■ What Happened
The vulnerability lies in React’s Flight protocol used by Server Components (RSC).
Incorrect deserialization leads to remote code execution, making it extremely dangerous for any public-facing application.
Key points:
- CVSS 10.0 (maximum severity)
- Pre-auth RCE — no login required
- Affects major frameworks such as Next.js, React Router, Vite RSC, Parcel RSC
- Exploitation success rate reported as very high
Even if your project doesn’t explicitly use Server Functions, RSC-enabled builds remain vulnerable.
■ Affected Versions
You are likely exposed if:
- You use React 19.x (19.0.0–19.2.0 especially)
- You have RSC-related packages like
react-server-dom-webpack - Your framework supports RSC (Next.js, React Router, Vite RSC, Parcel RSC)
- Your application is deployed on a public cloud environment
In my own tests, even default Next.js templates activated RSC under the hood, meaning many developers are unknowingly affected.
■ How to Fix It
The only reliable remediation is upgrading to patched versions.
▼ React
- 19.0.1
- 19.1.2
- 19.2.1
▼ Next.js
- Update to the latest security-patched stable release.
▼ Temporary Mitigations
Use these only if you cannot update immediately:
- Enable WAF rules to block malicious RSC access
- Apply layer-7 filtering via CDN
- Monitor server logs for abnormal requests
Again: Updating is the only complete fix.
■ Why You Must Act Now
- PoC attacks surfaced immediately after disclosure
- Threat groups—including state-backed actors—have begun active scanning
- Up to 40% of cloud-hosted apps use affected configurations
- Public-facing services are particularly attractive targets
Every hour of delay increases your risk.
■ Summary
CVE-2025-55182 is one of the most critical RCE threats ever observed in the React ecosystem.
If you maintain applications built with React or Next.js, check your dependencies now and apply the patch before exposing your system to unnecessary danger.
【Reference URLs】
- Critical RSC Bugs in React and Next.js
https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html - Critical React & Next.js RCE Vulnerability
https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce - AWS Security Blog: Rapid Exploitation of React2Shell
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ - GreyNoise Observation Report
https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far - Unit42 Technical Analysis
https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/ - HelpNetSecurity Report
https://www.helpnetsecurity.com/2025/12/04/react-node-js-vulnerability-cve-2025-55182/ - CyberScoop Insight
https://cyberscoop.com/react-server-vulnerability-critical-severity-security-update/ - Wiz Security Deep Dive
https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182