React2Shell: What To Know About The Critical React RCE Vulnerability

On December 3, 2025, a critical vulnerability named React2Shell was disclosed in React Server Components, designated as CVE-2025-55182 with the highest CVSS score of 10, affecting all current versions including React 19.0.0 to 19.2.0, and impacting JavaScript frameworks such as Next.js. This exploit allows for Remote Code Execution (RCE) via unsafe deserialization in React's "Flight" protocol, enabling attackers to execute arbitrary JavaScript on servers. Immediate patching is essential, as active exploitation has been observed by state-nexus threat groups, prompting advisories to update React and Next.js, verify dependencies, and utilize security tools like StackHawk for detection and mitigation. React2Shell highlights the importance of maintaining updated dependencies and the necessity of runtime security testing to assess the actual exploitability of vulnerabilities in live environments.