A severe security flaw, tracked as CVE-2025-55182 and nicknamed “React2Shell,” has been disclosed, posing a significant threat to modern web applications. This vulnerability allows an attacker to achieve unauthenticated remote code execution (RCE) on servers running affected software, effectively granting them complete control over the system.

What is CVE-2025-55182?

CVE-2025-55182 is a critical vulnerability with the highest possible CVSS score of 10.0. It affects applications that use React Server Components (RSC) and the popular Next.js framework, which is built on React. The flaw stems from an insecure deserialization issue in the “Flight” data format protocol, which is used to communicate between the server and client in RSC-enabled applications. By sending a specially crafted malicious payload, an unauthenticated remote attacker can exploit this flaw to execute arbitrary code on the server.

Who is Affected?

If your web application’s technology stack includes any of the following, you are likely at risk:

• Next.js: The popular full-stack React framework is heavily impacted.
• React.js: Any application directly implementing React Server Components is vulnerable.
• React Router: Applications using this library with Server Components are also affected.

In short, any modern web framework or application that leverages React Server Components for server-side rendering is a potential target.

Active Exploitation in the Wild

This is not a theoretical threat. Following its public disclosure on December 3, 2025, security researchers observed widespread and immediate exploitation attempts. Multiple advanced threat groups, including some with ties to China, were actively scanning the internet for vulnerable systems and launching attacks within hours of the announcement. This underscores the urgency of applying patches immediately.

How to Protect Your Systems

The only way to mitigate this vulnerability is to update your dependencies to the patched versions. The React and Vercel (creators of Next.js) teams have released security updates to address the issue.

1. Update Next.js: Upgrade your Next.js application to the latest patched version. Check the official Next.js or Vercel security advisory for the specific version numbers.
2. Update React: If you are using React Server Components outside of Next.js, update your React packages to the newest secure versions.
3. Check All Dependencies: Audit your entire project’s dependencies, including libraries like React Router, to ensure no component remains vulnerable.
4. Deploy Immediately: Do not delay. Given the active exploitation, every hour your system remains unpatched increases your risk of compromise.

Conclusion

CVE-2025-55182 represents one of the most critical web application vulnerabilities in recent memory. Its combination of a high CVSS score, ease of exploitation (unauthenticated), and active exploitation by threat actors makes it a top-priority issue for all developers and system administrators. Immediate action is required to secure your infrastructure.