About Remote Code Execution – React Server Components “React2Shell” (CVE-2025-55182) vulnerability. React is a popular open-source JavaScript framework; to improve application performance, it allows part of the logic to be executed on the server via React Server Components (RSC). By exploiting insecure deserialization in RSC, an unauthenticated attacker can achieve server-side code execution via a crafted HTTP request.
⚙️ React fixes were released on December 3. Other frameworks that embed React are also vulnerable, including Next.js, React Router, Expo, Redwood SDK, Waku, and others.
🛠 Public exploits have been available since December 3; by December 19, GitHub hosted 250+ exploit and scanner projects. 😮
👾 Attacks are widespread and have been observed since December 5; listed in CISA KEV Dec 9.
🌐 Shadowserver reports 100k+ vulnerable hosts; RuNet estimates range from 10k to 40k+. 🤔
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.