CVE-2025-55182: What you need to know about React2Shell

On December 3, 2025, a critical remote code execution (RCE) vulnerability affecting React Server Components, often used in Next.js deployments, was disclosed by the React Team, allowing unauthenticated attackers to execute code on servers through crafted HTTP requests. Despite its severity, this vulnerability is less extensive than the Log4j incident, with early telemetry indicating exposure in about one-third of monitored environments. Bugcrowd responded promptly by activating a dedicated triage team to process related submissions, validating proof-of-concept reports, and implementing prioritization guidelines for dealing with the zero-day vulnerability. The React Team released patched versions of affected packages, urging users to upgrade and verify dependencies, while Bugcrowd emphasizes providing customers with actionable intelligence and support during this security threat. Further information and resources are available through various security advisories and records, ensuring that security teams can effectively manage and mitigate the impact.