{"id":24982,"date":"2025-12-04T14:12:46","date_gmt":"2025-12-04T19:12:46","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/react4shell-vulnerability-cve-2025-55182\/24982\/"},"modified":"2025-12-05T14:45:14","modified_gmt":"2025-12-05T10:45:14","slug":"react4shell-vulnerability-cve-2025-55182","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/react4shell-vulnerability-cve-2025-55182\/24982\/","title":{"rendered":"React4Shell vulnerability: protecting web servers from CVE-2025-55182"},"content":{"rendered":"

On December 3, the coordinated elimination of the critical vulnerability<\/a> CVE-2025-55182 (CVSSv3 \u2014 10) became known. It was found in React server components (RSC), as well as in a number of derivative projects and frameworks: Next.js, React Router RSC preview, Redwood SDK, Waku, and RSC plugins Vite and Parcel. The vulnerability allows any unauthenticated attacker to send a request to a vulnerable server and execute arbitrary code. Considering that tens of millions of websites, including Airbnb and Netflix, are built on React and Next.js, and vulnerable versions of the components were found in approximately 39% of cloud infrastructures<\/a>, the scale of exploitation could be very serious. Measures to protect your online services must be taken immediately.<\/p>\n

A separate CVE-2025-66478<\/a> was initially created for the Next.js vulnerability, but it was deemed a duplicate, so the Next.js defect also falls under CVE-2025-55182<\/a>.<\/p>\n

Where and how does the React4Shell vulnerability work?<\/h2>\n

React is a popular JavaScript library for creating user interfaces for web applications. Thanks to RSC components, which appeared in React 18 in 2020, part of the work of assembling a web page is performed not in the browser, but on the server. The web page code can call React functions that will run on the server, get the execution result from them, and insert it into the web page. This allows some websites to run faster \u2014 the browser doesn\u2019t need to load unnecessary code. RSC divides the application into server and client components, where the former can perform server operations (database queries, access to secrets, complex calculations), while the latter remains interactive on the user\u2019s machine. A special lightweight HTTP-based protocol called Flight is used for fast streaming of serialized information between the client and server.<\/p>\n

CVE-2025-55182 lies in the processing of Flight requests, or to be more precise \u2014 in the unsafe deserialization of data streams. React Server Components versions 19.0.0, 19.1.0, 19.1.1, 19.2.0 \u2014 or, more specifically, the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages \u2014 are vulnerable. Vulnerable versions of Next.js are: 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, and 16.0.6.<\/p>\n

To exploit the vulnerability, an attacker can send a simple HTTP request to the server, and even before authentication and any checks, this request can initiate the launch of a process on the server with React privileges.<\/p>\n

There\u2019s no data on the exploitation of CVE-2025-55182 in the wild yet, but experts agree that it\u2019s possible, and will most likely be large-scale. Wiz claims that<\/a> its test RCE exploit works with almost 100% reliability. A prototype of the exploit is already available on GitHub, so it won\u2019t be difficult for attackers to adopt it and launch mass attacks.<\/p>\n

React was originally designed to create client-side code that runs in a browser; server-side components containing vulnerabilities are relatively new. Many projects built on older versions of React, or projects where React server-side components are disabled, are not affected by this vulnerability.<\/p>\n

However, if a project doesn\u2019t use server-side functions, this doesn\u2019t mean it\u2019s protected \u2014 RSCs may still be active. Websites and services built on recent versions of React with default settings (for example, an application on Next.js built using create-next-app) will be vulnerable.<\/p>\n

Protective measures against exploitation of CVE-2025-55182<\/h2>\n

Updates. <\/strong>React users should update to the versions 19.0.1, 19.1.2 or 19.2.1. Next.js users should update to versions 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Detailed instructions for updating the react-server component for React Router, Expo, Redwood SDK, Waku, and other projects are provided in the React blog<\/a>.<\/p>\n

Cloud provider protection. <\/strong>Major providers have released rules for their application-level web filters (WAF) to prevent exploitation of vulnerabilities:<\/p>\n