CVE-2025-55182: The Critical Remote Code Execution (RCE) Vulnerability in React Server Components

09 - Dec - 2025 - MxDR Team

Table of Contents

CVE-2025-55182 is a critical vulnerability that is already being exploited

The critical vulnerability CVE-2025-55182 allows an unauthenticated attacker to execute arbitrary code on the server and is already being actively exploited

The CVE-2025-55182 vulnerability, also known in the community as “React2Shell”, represents a security threat of the utmost severity to applications that use React Server Components (RSC). With a CVSS score of 10.0 (Critical). This vulnerability allows an unauthenticated attacker to execute arbitrary code on the server, potentially compromising the underlying infrastructure. The vulnerability is currently being actively exploited by groups such as Earth Lamia and Jackpot Panda, as well as anonymization networks.

1. Technical Description of the Vulnerability

CVE-2025-55182 is an insecure deserialization vulnerability present in React’s Flight protocol, which is the basis for data communication in React Server Components.

Affected Component and Operating Mechanism

Affected Components: The vulnerability resides specifically in the server-side payload handling logic of the React Server Components, which is implemented in the react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack packages. Frameworks such as Next.js (using the App Router) and others that rely on CSR are at risk. Applications are vulnerable, even if they don’t use server roles, as long as they support CSR.
Root of the Problem: The vulnerability occurs because the Flight protocol’s deserialization process does not properly validate the data structures that are reconstructed from the request payload. This mechanism allows an attacker to inject a payload specifically designed to manipulate the JavaScript Object Prototype (_proto_) on the server, known as server-side Prototype Pollution.
Exploitation (RCE): By exploiting Prototype Pollution, the attacker can corrupt the properties of internal objects, which in turn can lead to the execution of dangerous functions (such as child_process.execSync or other native functions) through the process Node.js that runs the application. This results in unauthenticated Remote Code Execution (RCE).

Vulnerable Versions

The vulnerability primarily affects the following product versions:

React: Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
Next.js: Versions that implement RSC, including series 14.3.0-canary.77 and above, series 15 and 16.

2. Detection and Protection

Rapid response is crucial given the criticality of the vulnerability and the existence of public exploits (PoCs) and active exploitation.

Detection (Indicators of Compromise – IoC)

Security teams should immediately look for the following indicators in their HTTP traffic logs and system logs:

Type of IoC	Description	Patterns to look for in logs
Telemetry	From the EDR it is possible to search for TTPs compatible with the exploitation of vulnerabilities in Node.js	Execution of common attack commands (related to shells, reconnaissance, payload download, reverse connections, etc.) where the parent process is Node.js (node or node.exe)
HTTP traffic	Requests targeting RSC endpoints with server-specific action headers and malicious payloads.	`POST` requests with headers such as `next-action` or `rsc-action-id`.
Payloads	HTTP request bodies that contain patterns associated with prototyping or command injection.	Patterns such as `$@` o `status":"resolved_model"`, which are common in proof-of-concepts (PoC).
Host Activity	Acknowledgment commands or unexpected actions executed by the Node.js/React application process.	Execution of commands such as `whoami`, `id`, `uname`, or attempts to read the `/etc/passwd` file or suspicious writes to temporary directories (`/tmp/`).
Scanning/Probing	Traffic from scanners looking for a specific error response from vulnerable versions.	Requests that attempt to cause a `500 status code` with the error pattern `E{"digest"` in the response body.

Sigma rule to detect some forms of exploitation of this RCE Windows environments

title: Node.js Suspicious Child Process & Recon (React2Shell Windows)
status: experimental
description: |
 Detects Node.js spawning shells (CMD/PS) or reconnaissance binaries/LOLBins.
 Designed to catch RCE payloads from CVE-2025-55182 exploiting React Server Components.
logsource:
 product: windows
 category: process_creation
detection:
 selection_parent:
  ParentImage|endswith:
   - '\node.exe'
   - '\pm2.exe'
   - '\bun.exe'

 selection_child_shell:
  Image|endswith:
   - '\cmd.exe'
   - '\powershell.exe'
   - '\powershell_ise.exe'
   - '\pwsh.exe'

 selection_child_recon_binary:
  Image|endswith:
   - '\whoami.exe'
   - '\hostname.exe'
   - '\systeminfo.exe'
   - '\ipconfig.exe'
   - '\certutil.exe'
   - '\curl.exe'
   - '\net.exe'
   - '\net1.exe'

 selection_cmdline_suspicious:
  CommandLine|contains:
   - 'wget'
   - 'iwr'
   - 'DownloadString'
   - '-enc '
   - 'bypass'

 condition: selection_parent and (selection_child_shell or selection_child_recon_binary or selection_cmdline_suspicious)
falsepositives:
 - Developer workstations running local servers.
 - Build agents (Azure DevOps agents).
level: critical
tags:
 - attack.execution
 - attack.discovery
 - cve.2025.55182

Sigma rule to detect some forms of exploitation of this RCE Linux environments

title: Node.js Suspicious Child Process & Recon (React2Shell Linux)
status: experimental
description: |
 Detects Node.js spawning shells, reconnaissance tools, or network utilities.
 This covers direct execution (spawn) and shell execution (exec) typical in CVE-2025-55182 (Reac2Shell).
logsource:
 product: linux
 category: process_creation
detection:
 selection_parent:
  ParentImage|endswith:
   - '/node'
   - '/node-current'
   - '/pm2'
   - '/npm'

 selection_child_shell:
  Image|endswith:
   - '/bash'
   - '/sh'
   - '/dash'
   - '/zsh'
   - '/ash'

 selection_child_recon_binary:
  Image|endswith:
   - '/whoami'
   - '/id'
   - '/curl'
   - '/wget'
   - '/nc'
   - '/ncat'

 selection_cmdline_suspicious:
  CommandLine|contains:
   - 'whoami'
   - 'uname -a'
   - '/etc/passwd'
   - '/dev/tcp/'
   - 'curl '
   - 'wget '
   - 'base64 -d'

 condition: selection_parent and (selection_child_shell or selection_child_recon_binary or selection_cmdline_suspicious)
falsepositives:
 - Valid maintenance scripts executed via npm run.
 - CI/CD Runners (GitHub Actions).
level: critical
tags:
 - attack.execution
 - attack.discovery
 - cve.2025.55182

Protection and Mitigation

The ultimate protection is patching, but there are temporary mitigations if immediate upgrade is not feasible.

1. Software Update (Ultimate Solution)

The only complete solution is to upgrade to patched versions, as these include hardened handling of user inputs to prevent insecure deserialization.

2. Mitigación Temporal (WAF/Virtual Patching)

If you can’t upgrade immediately, you can apply a virtual patching mitigation with a Web Application Firewall (WAF):

WAF rules: Implement rules to block HTTP requests that contain the suspicious payload patterns identified in the detection section, especially those targeting RSC endpoints and containing prototype injection patterns.
Cloud Services: Use WAF signatures from cloud providers (such as Cloudflare, AWS WAF, etc.), as many have released specific rules to detect and block attempts to exploit CVE-2025-55182.

3. Prevention through secure configuration

Given the nature of RCE attacks, it is possible to prevent, or at least limit the scope, of the impact of such attacks through the implementation of security protocols, such as the necessary least privilege, limiting the actions that an attacker could perform to a large extent; as well as secure configurations such as the activation of logs that help detect and investigate a possible attack.

3. Conclusion and Recommendation

CVE-2025-55182 is a high-severity zero-day vulnerability that is being actively exploited. The main and unavoidable recommendations are:

Establish Proactive Threat Hunting activities to identify successful exploitation of this vulnerability.
Urgent update of all React Server Components and dependent frameworks (such as Next.js) to patched versions. WAF mitigation is a temporary palliative, but not a replacement for the ultimate code-level solution. Implementation of secure protocols and configurations to limit the impact.

Share this article

Facebook - Twitter - Linkedin