Week 50 – React or not React: that is the question

8 – 14 Dec 2025

A remote code execution vulnerability was found in React Server Components: CVE-2025-55182 – React2Shell.

This week’s CVE of the Week is about the recent pre-authentication remote code execution vulnerability in Meta’s React Server Components.

React is a free and open-source front-end JavaScript library that aims to make building user interfaces based on ‘components’ more seamless. It is maintained by Meta and a community of individual developers and companies.

On 3rd December, the React Team published a security blogpost about the issue, urging upgrading immediately and thanking Lachlan Davidson for reporting the security vulnerability to them.

This issue is categorized as Deserialization of Untrusted Data (CWE-502) – The CVSSv3 score is 10.0 Critical.
Multiple versions and products impacted: React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.

Additionally, other services and products that are built upon these components can also be affected, for example Next.js, Expo, Redwood SDK, Waku, vitejs/plugin-rsc frameworks and apps using these.

Even if an app does not implement any React Server Function endpoints, it may still be vulnerable if the app supports React Server Components.

If the app’s React code does not use a server or a framework, bundler, or bundler plugin that supports React Server Components, then the app is not affected by this vulnerability.

An unauthenticated attacker could exploit this vulnerability to execute arbitrary code on an affected device, via insecure deserialization of malicious HTTP requests. Testing indicates the exploit has near-100% reliability and requires no code changes to be effective against default configurations.

React Server Components communicate between client and server using a serialization protocol called React Flight.
This protocol enables streaming of complex data structures that mirror the React component tree, allowing UIs to render progressively while awaiting backend responses.

Flight uses special prefixes to encode different data types and this is where the vulnerability lies: it affects how the server deserializes data from clients. An attacker can send malicious data that executes arbitrary code on your servers before any authentication occurs.

Security Researchers urge customers using vulnerable versions to upgrade as soon as possible, as reports indicate that this flaw is already being exploited in the wild.
Meta does not offer any mitigations or workarounds for the vulnerable versions, except for upgrading.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

Details about the issue, the list of affected versions and additional information are available in Meta’s security advisories:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55182

For more information about the vulnerability, please visit NVD’s site:
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.tenable.com/cve/CVE-2025-55182

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.