Select your country

Belgium

China

Denmark

France

Germany

Global

Maghreb & West Africa

Netherlands

Norway

South Africa

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. CERT-News
  5. Critical vulnerability in React Server Components

Critical vulnerability in React Server Components

CERTVulnerability

Share

Update 1, 2025-12-05

A working proof of concept (PoC) code is available for the React2Shell vulnerability and active exploitation by several Chinese-nexus threat groups have been observed. More exploitation across the board is expected as all types of attackers seek to capitalize on this vulnerability. 

Patching of the vulnerability must be a priority. Cloud environments such as Akamai, Cloudflare, AWS, Google, and Fastly have deployed web application firewall (WAF) rules to block attempted exploitation actions. These WAF rules buy time for teams to patch vulnerable applications and must not be seen as a sole defense against attackers. 

Several scanners have been published to help identify potentially vulnerable applications. Qualys has released dedicated QIDs to scan and detect vulnerable assets: 

  1. SWCA QIDs: 

  • QID 5006447: NodeJs (Npm) Security Update for react-server-dom-parcel (GHSA-fv66-9v8q-g76r)

  • QID 5006445: NodeJs (Npm) Security Update for next (GHSA-9qr9-h5gf-34mp)

  1. Agent QID: 

  • QID 386154: React Server Dom Component NPM Package Remote Code Execution (RCE) Vulnerability 

  1. Unauthenticated QID: 

  • QID 48336: React Server Processing Flight Protocol Detected 

 

Orange Cyberdefense provides its Managed Threat Intelligence customers access to Indicators of Compromise (IoCs) related to this threat, also automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Threat Hunting option in Managed Threat Detection service. If you would like us to prioritize addressing these IoCs in your next hunt, please submit a request through your customer portal or contact your representative. 

Our Managed Threat Intelligence clients can directly consult and consume IOCs from this address on our Datalake platform:  

datalake.cert.orangecyberdefense.com/gui/search

If you're interested to know more about this Orange Cyberdefense managed service, please reach your customer representative. 

Initial

An unauthenticated attacker can possibly obtain remote code execution (RCE) by impacting vulnerabilities CVE-2025-55182 or CVE-2025-66478 in React and related frameworks. These weaknesses are assigned to the maximum CVSS score of 10 and is dubbed React2Shell. Fixes have been made available for the respective React, Next.js, and some derivative frameworks.  

Affected products include: 

  • React versions 19.0 through 19.2. 

  • Next.js App Router branches 14.3.0 canary, 15.x, and 16.x. 

  • Other tools for bundling react-server are likely impacted as well, such as RedwoodJS, Waku, or the RSC plugins for Vite or Parcel. 

Please verify if your respective frameworks are impacted and under what circumstances. 

Cloudflare has already published protections for their clients to block potential attacks if the applications are proxied through the respective web application firewalls (WAF). 

Scanners detecting impacted applications were made available. See the external links below.   

We expect that attackers are going to work fast to compromise as many vulnerable hosts as possible. Deploying the updates with fixes is the best protection, but other controls such as WAFs can help buy time until the fixes are deployed. 

It is important to increase monitoring of hosts serving vulnerable applications to identify potential signs of malicious or unwanted behavior. Please reach out to an incident response team as soon as possible if you suspect a possible compromise. Attackers, possibly affiliated with ransomware groups, may seek to capitalize on this opportunity to gain access to sensitive information. 

Our Managed Vulnerability Intelligence [watch] clients can directly consult the advisory including all the details related to this vulnerability from this address on our Threat Defense Center portal:  

https://portal.cert.orangecyberdefense.com/vulns/116971 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT