Critical React RSC Vulnerability (CVE-2025-55182): Remote Code Execution Risk

Introduction

The React Foundation has issued an urgent security alert regarding a critical vulnerability in React Server Components (RSC), designated as CVE-2025-55182 with the maximum CVSS score of 10. This flaw, discovered by researcher Lachlan Davidson and dubbed "React2Shell," enables remote attackers to execute arbitrary commands on affected servers through specially crafted HTTP requests. The vulnerability impacts multiple React packages and has prompted immediate action from developers and cloud providers worldwide.

Technical Details and Impact

The vulnerability stems from a logical deserialization error in how React Server Components process incoming requests. When an unauthenticated attacker sends a malicious HTTP payload to any Server Function endpoint, React's deserialization phase can be manipulated to execute arbitrary JavaScript code on the backend server. Security firm Wiz emphasized that this exploit works across all configurations, requiring only a single HTTP request to trigger the remote code execution.

Affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The impact extends beyond React itself to any library built on RSC technology, including Vite RSC, Parcel RSC, React Router RSC preview, RedwoodJS, and Waku frameworks. This broad reach makes the vulnerability particularly dangerous for modern web applications.

Endor Labs warned that default framework configurations are immediately exploitable, highlighting the urgency for developers to implement protective measures. While considering security solutions, developers might explore various firewall software options to add additional layers of protection to their applications.

Mitigation and Response

The React Foundation has released patched versions (19.0.1, 19.1.2, and 19.2.1) for the three affected components, which developers should upgrade to immediately. Until patches can be deployed, applying specific Web Application Firewall (WAF) rules is strongly recommended as a temporary mitigation strategy.

Major cloud providers have responded swiftly to the threat. Cloudflare announced on December 3 that it updated its WAF to protect customers, while Google Cloud Armor, Amazon Web Services (AWS), and other security providers issued similar temporary firewall rules. These providers emphasize that while these defensive measures help, updating vulnerable React packages remains the definitive solution.

For organizations handling sensitive data, implementing robust encryption tools alongside security patches can provide additional protection against potential data breaches resulting from such vulnerabilities.

Pros and Cons

Advantages

• Swift response from React Foundation with immediate patches available
• Major cloud providers quickly implemented protective WAF rules
• Clear vulnerability details help developers understand the risk
• Security community collaboration in identifying and reporting the issue
• Comprehensive affected version list enables targeted updates

Disadvantages

• Maximum severity CVSS 10 rating indicates extreme danger
• Default configurations are immediately exploitable by attackers
• Requires immediate developer action across many applications
• Potential for widespread impact before patches are applied

Conclusion

The CVE-2025-55182 vulnerability represents a critical threat to applications using React Server Components, with its maximum CVSS score reflecting the severe potential impact. Developers must prioritize updating to patched React versions (19.0.1, 19.1.2, or 19.2.1) immediately. While cloud providers' temporary WAF rules offer some protection, they should not replace proper patching. This incident underscores the importance of maintaining updated dependencies and implementing comprehensive security measures, including regular vulnerability assessments and proper secure browser configurations for development teams. The security community's rapid response demonstrates effective vulnerability management, but the widespread nature of this flaw requires urgent attention from all React-based application maintainers.