Torrance, United States / California, December twelfth, 2025, CyberNewsWire
In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Parts (RSC) that permits distant code execution (RCE), was publicly disclosed.
Shortly after publication, a number of safety distributors reported scanning exercise and suspected exploitation makes an attempt, and CISA has since added the flaw to its Identified Exploited Vulnerabilities (KEV) catalog.
React2Shell just isn’t tied to a selected framework; fairly, it stems from a structural weak spot within the RSC characteristic that impacts the broader React ecosystem.
This text examines the technical basis of React2Shell, the publicity panorama of companies utilizing RSC, noticed attacker exercise, and the defensive methods organizations ought to undertake.
React2Shell Vulnerability Overview: A Structural Flaw Permitting RCE With out Authentication
CVE-2025-55182 is brought on by a validation flaw within the deserialization strategy of the Flight protocol, which React Server Parts use to change state between the server and shopper.
An attacker can obtain RCE just by sending a crafted payload to the Server Capabilities endpoint with out authentication, and since a PoC is already publicly out there, the vulnerability is extremely vulnerable to automated assaults.
The affect extends to all companies that use RSC, and since frameworks akin to Subsequent.js, React Router RSC, Waku, Vite RSC Plugin, Parcel RSC Plugin, and RedwoodJS share the identical underlying construction, the broader React ecosystem is collectively uncovered.
The official patch is on the market in react-server-dom-* packages model 19.0.1 / 19.1.2 / 19.2.1 or later, and the vulnerability is rated CVSS 10.0, indicating important severity.
Publicity Evaluation of React2Shell-Affected Belongings Utilizing Legal IP
React2Shell is tough to detect utilizing conventional product banners or HTML content material alone.
React-based companies are designed in order that RSC parts usually are not externally uncovered, and frameworks like Subsequent.js, which vendor React modules internally, make it even tougher to establish the underlying expertise stack.
Consequently, easy banner-based detection strategies can’t reliably decide whether or not RSC is enabled or whether or not a service is uncovered to this vulnerability.
In real-world environments, essentially the most dependable detection technique is to establish programs primarily based on their HTTP response headers, and servers with RSC enabled persistently exhibit the next values.
Legal IP Search Question: “Differ: RSC, Subsequent-Router-State-Tree”
Customers can detect RSC-enabled servers in the US utilizing Legal IP by making use of queries primarily based on these header patterns.
Legal IP Search Question: “Differ: RSC, Subsequent-Router-State-Tree” nation: “US”
In response to the Legal IP Asset Search outcomes, the question “Differ: RSC, Subsequent-Router-State-Tree” nation: “US” recognized a complete of 109,487 RSC-enabled property.
This header sample signifies that RSC is energetic on these servers. Whereas it doesn’t imply that every one of them are susceptible, it’s a important indicator of the large-scale publicity floor that exists.
When inspecting the evaluation outcomes for a selected asset in Legal IP, the server was discovered to have ports 80 and 443 uncovered externally, and its response headers, SSL certificates particulars, vulnerability listing, and Exploit DB associations might all be reviewed in a single unified web page.
On this asset, indicators related to React2Shell have been recognized alongside different important vulnerabilities, together with CVE-2023-44487 (HTTP/2 Speedy Reset), which has been extensively abused in large-scale DDoS assaults.
This demonstrates how Legal IP Asset Search gives a number of evaluation layers that assist assess whether or not an surroundings is realistically exploitable by attackers.
Safety Mitigation Methods
1. Instant Replace of React-Associated Packages
Organizations ought to instantly replace all React-related packages to their newest patched releases.
The react-server-dom-webpack package deal should be upgraded to model 19.0.1, 19.1.2, or 19.2.1, whereas react-server-dom-parcel and react-server-dom-turbopack must be up to date to model 19.0.1 or later to make sure they’re shielded from the vulnerability.
2. Confirm Patch Availability for Every Framework
React RSC is used throughout a number of frameworks, together with Subsequent.js, Vite, Parcel, and RedwoodJS. Notably, Subsequent.js distributors RSC internally, that means that updating React packages alone might not mechanically apply the repair.
Due to this fact, it’s important to evaluation every framework’s official safety advisories or launch notes and improve to the model through which the vulnerability has been addressed.
3. Reduce Exterior Publicity of RSC Endpoints
Every time attainable, prohibit entry utilizing a reverse proxy, WAF or authentication gateway.
4. Leverage Legal IP for Monitoring
Monitor publicity of RSC-related header
Detect scanning makes an attempt primarily based on TLS fingerprints
Routinely block malicious scanning IPs
Test for vulnerability presence and related Exploit DB entries
The Evaluation’ Conclusion
React2Shell (CVE-2025-55182) is a important vulnerability affecting essentially the most extensively used React-based companies throughout the net ecosystem. With low exploitation complexity and publicly out there PoCs, energetic assaults are spreading quickly.
In response to Legal IP evaluation, roughly 110,000 RSC-enabled companies in the US are uncovered, underscoring the substantial threat of widespread exploitation.
Along with making use of patches, figuring out uncovered RSC companies and conducting real-time monitoring are important parts of an efficient React2Shell response technique.
Legal IP gives probably the most efficient instruments for precisely mapping this assault floor and strengthening defensive measures.
In relation to this, customers can check with Subsequent.js Middleware Vulnerability Permits Authentication Bypass: Over 520K Belongings at Threat.
About Legal IP
Legal IP is the flagship cyber menace intelligence platform developed by AI SPERA. The platform is utilized in greater than 150 international locations and gives complete menace visibility by enterprise safety options akin to Legal IP ASM and Legal IP FDS.
Legal IP continues to strengthen its international ecosystem by strategic partnerships with Cisco, VirusTotal and Quad9.
The platform’s menace knowledge can also be out there by main US knowledge warehouse marketplaces together with Amazon Internet Providers (AWS), Microsoft Azure and Snowflake. This enlargement improves international entry to prime quality menace intelligence from Legal IP.
Contact
Michael Sena
AI SPERA
