The cybersecurity business is on excessive alert following the disclosure of a crucial React vulnerability that may be exploited by a distant, unauthenticated attacker for distant code execution.
React (React.js) is an open supply JavaScript library designed for creating utility consumer interfaces. Maintained by Meta and a big group of corporations and particular person builders from all over the world, React is broadly used: it reportedly powers hundreds of thousands of internet sites, it’s utilized by standard on-line providers (Airbnb, Instagram, Netflix), and its core NPM package deal presently has 55 million weekly downloads.
In an advisory printed on Wednesday, React builders knowledgeable customers in regards to the availability of patches for CVE-2025-55182, an unauthenticated distant code execution vulnerability that has been assigned a CVSS rating of 10.
The safety gap impacts variations 19.0, 19.1.0, 19.1.1, and 19.2.0, and it has been patched with the discharge of variations 19.0.1, 19.1.2, and 19.2.1.
Dubbed React2Shell by the cybersecurity group, the problem was reported to React builders on November 29 by Lachlan Davidson.
The vulnerability is expounded to “how React decodes payloads despatched to React Server Perform endpoints”, and builders have been informed that even when their utility doesn’t implement any React Server Perform endpoints, it may nonetheless be weak if React Server Elements (RSC) are supported.
On the time of writing there don’t seem like any stories of in-the-wild exploitation. Nonetheless, lower than 24 hours after disclosure, not less than one proof-of-concept (PoC) exploit has been developed and the vulnerability has been added to scanners.
It’s price mentioning that the React-powered net growth framework Subsequent.js can be affected by CVE-2025-55182. Vercel, the developer of Subsequent.js, has tried to assign its personal CVE identifier, CVE-2025-66478, but it surely has been rejected as a replica of CVE-2025-55182.Commercial. Scroll to proceed studying.
Frameworks corresponding to React Router RSC, Vite RSC plugin, Parcel RSC plugin, RedwoodSDK, and Waku may additionally be weak, based on cloud safety agency Wiz.
Wiz mentioned the vulnerability impacts default configurations, and it may be simply and reliably exploited utilizing specifically crafted HTTP requests.
The safety agency reported that, primarily based on its information, 39% of cloud environments include weak React cases.
[ Read: Critical Flaw in React Native NPM Package Exposes Developers to Attacks ]
Many members of the cybersecurity business seem to imagine that in-the-wild exploitation of React2Shell is imminent.
Justin Moore, senior supervisor of menace intel analysis at Palo Alto Networks’ Unit 42, described the vulnerability as a “grasp key exploit, succeeding not by crashing the system, however by abusing its belief in incoming information buildings”.
“The system executes the malicious payload with the identical reliability as legit code as a result of it operates precisely as meant, however on malicious enter,” Moore mentioned in an emailed assertion.
“On condition that Unit 42 has recognized over 968,000 servers operating widespread fashionable frameworks like React and Subsequent.js, and that just about 40% of cloud environments are uncovered, the steadiness of this flaw means it’s now not a query of if attackers will use it, however when it is going to be broadly exploited,” he added.
However, Kevin Beaumont, a good safety researcher, sought to “derail the hype prepare” on Wednesday, noting that the vulnerability is restricted to the newer model 19, and solely impacts purposes that use React Server, which he described as a brand new characteristic.
Firms react to React2Shell
Google Cloud has rolled out net utility firewall (WAF) guidelines to detect and block CVE-2025-55182 exploitation makes an attempt.
AWS has additionally launched new WAF guidelines to dam assaults, with clients utilizing managed providers knowledgeable that they aren’t impacted and no motion is required.
Cloudflare has additionally deployed protections throughout its community that robotically defend all clients so long as their React utility visitors is proxied by means of the Cloudflare WAF.
Internet growth firm Netlify has rolled out the React patches to forestall exploitation towards clients’ web sites.
F5 is investigating potential affect on its merchandise, however on the time of writing it has not recognized any affected merchandise.
The checklist of safety corporations that assist organizations detect weak cases and defend them towards potential exploitation makes an attempt contains Akamai, Orca Safety, Tenable, Aikido, and Miggo.
Associated: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Assault
Associated: GlassWorm Malware Returns to Open VSX, Emerges on GitHub
