Overview
Update: As of 4:30PM Eastern, Rapid7 has validated that a working weaponized proof-of-concept exploit, shared by researcher @maple3142, is now publicly available.
On December 3, 2025, Meta disclosed a new vulnerability, CVE-2025-55182, which has since been dubbed React2Shell. A second CVE identifier, CVE-2025-66478, was assigned and published to track the vulnerability in the context of Next.js. However this second CVE has since been rejected as a duplicate of CVE-2025-55182, as the root cause in all cases is the same and should be referred to with a single common CVE identifier.
CVE-2025-55182 is a critical unauthenticated remote code execution vulnerability affecting React, a very popular library for building modern web applications. This new vulnerability has a CVSS rating of 10.0, which is the maximum rating possible and indicates the highly critical nature of the issue. Successful exploitation of CVE-2025-55182 allows a remote unauthenticated attacker to execute arbitrary code on an affected server via malicious HTTP requests.
The vulnerability affects React applications that support React Server Components. While the vulnerability affects the React Server Components feature, server applications may still be vulnerable even if the application does not explicitly implement any React Server Function endpoints but does support React Server Components. Additionally, many popular frameworks based on React, such as Next.js, are also affected by this vulnerability.
A separate advisory was published by Vercel, the vendor for Next.js. This advisory tracks the impact of CVE-2025-55182 as it applies to the Next.js framework, and provides information for Next.js users to remediate the issue.
As of this blog’s publication on December 4, 2025, there is no known public exploit code available. Several exploits have been published claiming to exploit CVE-2025-55182; however, they have not been successfully verified as actually exploiting this vulnerability. This has been noted in the original finder’s website, react2shell.com. Although broad exploitation has not yet begun, we expect this to quickly change once a viable public exploit becomes available.
Organizations who use React or the affected downstream frameworks are urged to remediate this vulnerability on an urgent basis, outside of normal patch cycles and before broad exploitation begins.
Mitigation guidance
CVE-2025-55182 affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:
A vendor-supplied update for the above packages is available in versions 19.0.1, 19.1.2, and 19.2.1. Users of affected React packages are advised to update to the latest remediated version on an urgent basis.
Downstream frameworks that depend on React are also affected, this includes (but is not limited to):
For the latest mitigation guidance for React, please refer to the React security advisory. For the latest mitigation guidance specific to Next.js, please refer to the Vercel security advisory.
Rapid7 customers
Exposure Command, InsightVM and Nexpose
Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2025-55182 with an unauthenticated check available in today's (December 4) content release. Note that the "Potential" check type must be enabled before running the scan to successfully assess for the vulnerability.
Updates
- December 4, 2025: Several minor edits for punctuation and grammar.
- December 4, 2025: Coverage availability for Rapid 7 customers.
- December 4, 2025: PoC validation updated.
- Emergent Threat Response