Select your country

Belgium

China

Denmark

France

Germany

Global

Maghreb & West Africa

Netherlands

Norway

South Africa

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Søk

  1. Norway
  2. About us
  3. News
  4. World Watch: React2Shell

World Watch: React2Shell

Nyheter

Share

December 5, 2025:

Alert! Rapid exploitation of the critical React2Shell vulnerability (updated), Threat level 5/5

AWS has announced that rapid exploitation of the critical React2Shell vulnerability tracked as CVE-2025-55182 has been observed by several Chinese-nexus threat groups (link for our Vulnerability Intelligence clients). Earth Lamia, Jackpot Panda, and other unknown adversaries reportedly attempted to leverage the flaw against AWS honeypots on December 4 after 02:30 UTC.

A working PoC is now publicly available on GitHub, and further exploitation attempts have already been observed. Therefore, mass exploitation attempts are almost certainly ongoing, as also confirmed by Fastly.

This flaw affects the very widely used React Server Components, allowing attackers to trivially execute code remotely without authentication. Even applications not directly using Server Functions remain vulnerable, as long as they support Server Components.

AWS specifies that its own services have not been affected, but shares this information to alert organizations managing their own React or Next.js environments. Cloud environments operated by Akamai, Cloudflare, AWS, Google, and Fastly quickly deployed WAF-type blocking rules based on patterns shared ahead of the vulnerability disclosure. This somehow protects many currently vulnerable instances, but updating to the latest patched versions remains highly recommended.

This advisory's threat level is now at 5 out of 5

December 4, 2025:

Insecure deserialization exposes React and Next.js to a critical RCE vulnerability dubbed "React2Shell"

On December 3, 2025, React patched a critical vulnerability dubbed React2Shell that allowed unauthenticatedremote code execution within React Server Components. The issue, tracked as CVE‑2025‑55182 and CVE‑2025‑66478 for Next.js (link for our Vulnerability Intelligence clients), originates from a flaw in the deserialization mechanism React uses to process requests targeting React Server Functions. This weakness is scored at a maximum 10 out of 10 CVSS score, as it allows an attacker to send a malicious request capable of triggering code execution on the server, even when the application did not explicitly use Server Functions but only Server Components.

Versions 19.x of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack modules are affected by the vulnerability. Frameworks that rely on these modules, such as Next.js, React Router, and the RSC plugins for Vite and Parcel, are also impacted. According to Wiz, this may represent one million servers or more than one-third of cloud environments.

Fortunately, fixes are already available, as the issue was responsibly reported and handled.

No reports currently indicate exploitation in the wild, but the severity of the issue makes it very likely that it will attract malicious actors.

We classify this advisory’s threat level as 4 out of 5.

 

What You Should Do

The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack modules

Fixes are available in versions 19.0.1, 19.1.2, and 19.2.1.

We recommend updating React, Next.js, and all RSC-related dependencies to their fixed versions as soon as possible.

Some scanners have already been published, such as this Python tool or this Nuclei template.

Incident Response Hotline

Står du overfor en cyberhendelse akkurat nå?

 

Kontakt vår globale 24/7/365 tjeneste incident response hotline.