- Published on
CVE-2025-55182 (React) & CVE-2025-66478 (NextJS): Remote Code Execution in React Server Components
- Authors
- Name
- Alex Lee
- Title
- CEO
- @alexjoelee
CVE-2025-55182: "React2Shell" Remote Code Execution (RCE) in React Server Components
On December 3rd, a security vulnerability was published for React Server Components affecting versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The CVE was published as CVE-2025-55182 with a severity of 10.0. This vulnerability allows an attacker to craft a malicious HTTP request which contains a payload to be ran on the server. The vulnerability was originally discovered by Lachlan Davidson and reported on November 29th. You can learn more about the vulnerability at react2shell.com.
What'd We Do
On December 3rd, we deployed a Web Application Firewall (WAF) rule to all current beta sites to prevent exploitation of this vulnerability. The additional rule is expected to have no impact to customer sites that do not use React. Please note this rule helps prevent exploitation but cannot guarantee total safety - please update your deployments immediately.
Update 12/5/2025
We have seen active exploitation attempts against customer sites on our network that have been successfully blocked by our WAF rule. We are continuing to monitor the situation and evolve our controls as it progresses.
Next Steps
Please update your deployments to the latest versions as soon as possible.