U.S. CISA Flags React Server Components Vulnerability
On December 6, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially listed a serious security vulnerability impacting React Server Components (RSC) in its Known Exploited Vulnerabilities (KEV) catalog. This move came after reports surfaced indicating active exploitation in various environments.
Understanding the Vulnerability
Identified as CVE-2025-55182, this flaw boasts a perfect CVSS score of 10.0, indicating its critical nature. The vulnerability allows remote code execution (RCE), which can be triggered by an unauthenticated attacker without the need for any special prerequisites. Also known as React2Shell, this flaw raises significant security concerns for developers working with React.
CISA explained in an advisory that the vulnerability exists within the Meta React Server Components. This flaw enables unauthenticated remote code execution due to an issue with how React decodes payloads sent to React Server Function endpoints. The core problem lies in the insecure deserialization within the library’s Flight protocol, which React uses for server-client communication. Consequently, a remote attacker can potentially execute arbitrary commands on the server by crafting specific HTTP requests.
Technical Insights
According to Martin Zugec, technical solutions director at Bitdefender, deserialization vulnerabilities are among the most dangerous classes of software issues. He highlighted that the React2Shell vulnerability is located in the react-server package, particularly within the deserialization process of object references.
This flaw has been addressed in updated versions of several libraries, including:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Developers utilizing frameworks like Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK, which depend on React, should also be aware that they are at risk.
Recent Exploit Attempts
Following the public announcement of this vulnerability, Amazon reported an increase in attack attempts linked to Chinese hacking groups such as Earth Lamia and Jackpot Panda. Other cybersecurity firms, including Coalition, Fastly, GreyNoise, and VulnCheck, confirmed observing similar exploitation efforts, which indicates that multiple threat actors are seizing the opportunity to attack.
Some of these attack efforts have resulted in deploying cryptocurrency miners, in addition to running PowerShell commands to verify successful exploitation. Attackers are then able to execute commands that retrieve further malicious payloads from remote servers.
Scope of the Impact
Data from attack surface management platform Censys reveals that there are approximately 2.15 million internet-facing services susceptible to this vulnerability. This number includes exposed web services that utilize React Server Components and frameworks like Next.js and Waku.
Palo Alto Networks Unit 42 has identified at least 30 affected organizations across different sectors. They have also observed techniques consistent with a known Chinese hacking group, UNC5174 (also referred to as CL-STA-1015). These attacks typically involve deploying SNOWLIGHT and VShell tools.
Recommended Actions for Organizations
Justin Moore of Palo Alto Networks highlighted that their findings indicate activities like scanning for RCE vulnerabilities, reconnaissance efforts, and attempts to steal AWS configuration and credential files. Installation of downloaders designed to fetch payloads from command and control setups has also been reported.
The security researcher Lachlan Davidson, who was pivotal in discovering the flaw, has released several proof-of-concept (PoC) exploits. This emphasis on urgency means that it is critical for users to update their systems to the latest versions immediately. A fellow researcher under the GitHub handle maple3142 has also shared a working PoC.
Under the Binding Operational Directive (BOD) 22-01, agencies within the Federal Civilian Executive Branch (FCEB) are mandated to implement necessary updates to secure their networks by December 26, 2025.
