- React2Shell (CVE-2025-55182)
A 10 0 critical severity vulnerablility affecting server-side use of React js, tracked as CVE-2025-55182 in React js and CVE-2025-66478 specifically for the Next js framework This vulnerability was responsibly disclosed by myself, Lachlan Davidson on 29 November 2025 PT to the Meta team
- React’s Critical React2Shell Vulnerability — What You Should Know . . .
Conclusion In this article, you learned about the "React2Shell" vulnerability, how to verify it using the original developer's tools, and how to upgrade your app to secure your Server Components I hope you have a clear idea about why this update is urgent By being proactive now, you can avoid a catastrophic data breach
- React2Shell: Decoding CVE-2025-55182 – The Silent Threat in React . . .
On December 3, 2025, a critical remote code execution (RCE) vulnerability, dubbed “React2Shell,” was disclosed, impacting React Server Components and frameworks like Next js The flaw, CVE-2025-55182, could lead to full server takeover and is rated CVSS 10 0 It is under active exploitation, has been added to the CISA KEV, and organizations should take immediate steps to remediate
- React2Shell RCE (CVE-2025-55182) Next. js (CVE-2025-66478) | Tenable®
React2Shell: A critical React flaw allowing unauthenticated RCE Impacts include Next js, React Router, and apps using Server Components
- React2Shell (CVE-2025-55182): What happened, who’s affected, and how to . . .
Critical RCE in React Server Components (a k a “React2Shell”) with public PoC and active exploitation This guide explains the issue in plain English and gives you concrete steps to find and fix it
- React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics | Wiz Blog
React2Shell: Technical Deep-Dive In-the-Wild Exploitation of CVE-2025-55182 We break down the exploit mechanics and detail active in-the-wild attacks observed by our team, from credential harvesting to sophisticated cloud backdoors
- React2Shell, Critical unauthenticated RCE affecting React Server . . .
On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next js
- Detecting React2Shell: The maximum-severity RCE Vulnerability affecting . . .
Learn how to detect and fix React2Shell, the unauthenticated RCE behind CVE-2025-55182 and CVE-2025-66478, with Sysdig’s threat research, Falco rules, and remediation steps
|