Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2025  ›  React2Shell Critical Vulnerability (CVE-2025-55182)

React2Shell Critical Vulnerability

December 05, 2025

React2Shell Critical Vulnerability (CVE-2025-55182)

What You Need To Know

A vulnerability exists in React Server Components (also known as React.js or ReactJS), an open-source front-end JavaScript library for building user interfaces.  The vulnerability allows an attacker to remotely execute arbitrary code on an unpatched server. An unauthenticated remote attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Exploit code is publicly available.  Exploitation is actively occurring.


Many 3rd party components use React so many servers are affected by this vulnerability.

PLATFORMS AFFECTED:

React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Third-party components also known to be affected include:

  • Vite RSC plugin

  • Parcel RSC plugin

  • React Router RSC preview

  • RedwoodSDK

  • Waku

  • Next.js

Actions for Security Points of Contact (SPoC)

  1. Upgrade React to one of the following versions:

  19.0.1

  19.1.2

  19.2.0

2. Upgrade any of the 3rd party packages to a release which includes the updated React components.

ISO Actions

  1. The ISO has assessed the vulnerability for potential impact to CMU infrastructure and sent Security Points of Contact (SPoC) recommended actions for patching
  2. The ISO has developed and will soon deploy a custom vulnerability scanner while we wait for commercial tools to deliver detections.  Please note that a successful scan may disrupt the vulnerable service.
  3. The ISO has developed and deployed custom detections for exploit attempts and successful exploitations.  These will work only for HTTP connections.
  4. The ISO will continue to monitor and respond to developments. 

Vendor Advisory

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Additional Information

Support Contact


Information Security Office (iso-ir@andrew.cmu.edu)