React Server Components Vulnerability Found

React Server Components Vulnerability Found

A security vulnerability in React related to React Server Components was identified over the holiday weekend. On Nov. 29, Lachlan Davidson, a security consultant for the New Zealand-based security firm Carapace, reported the vulnerability. It allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. “Even if your app does not implement any React Server Function endpoi…

Critical React2Shell Flaw Added To CISA KEV After Confirmed Active Exploitation - Cybernoz - Cybersecurity News

Dec 06, 2025Ravie LakshmananVulnerability / Patch Management The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by…

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an

2.15M Web Services Running Next.js Exposed Over Internet, Active Exploitation Underway – Patch Now

A critical unauthenticated remote code execution vulnerability dubbed “React2Shell” is actively being exploited in the wild, putting millions of web services at risk. On December 3, React disclosed CVE-2025-55182, a critical flaw in React Server Components with a CVSS score of 10. The vulnerability stems from insecure deserialization within the “Flight” protocol used by React […] The post 2.15M Web Services Running Next.js Exposed Over Internet,…

From React to Remote Code - Protecting Against the Critical React2Shell RCE Exposure

A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code attacks via malicious HTTP requests. Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopac…

React2Shell (CVE-2025-55182): A Critical RCE in React Server Components

By Flare Research React2Shell is a newly disclosed vulnerability (CVE-2025-55182) that has exposed a critical flaw at the core of React Server Components (RSC), enabling unauthenticated remote code execution (RCE) in applications using React 19 and frameworks built on top of RSC, most notably Next.js. Current telemetry suggests that more than 1.4 million publicly accessible instances worldwide are running vulnerable versions, creating a massive …