"On December 3, 2025, a critical vulnerability in React Server Components shocked the web development community. React2Shell (CVE-2025-55182) was disclosed with a CVSS score of 10.0, which is the maximum score for a vulnerability. The bug allowed remote code execution (RCE) on any server running React Server Components (RSC). Within hours of disclosure, Chinese state-sponsored groups and cryptomining operations began exploiting vulnerable servers in the wild."
"At its core, React2Shell is a deserialization bug in how React Server Components reconstruct server data from a Flight payload. Because of improper deserialization of React server components from data payloads, anybody could execute malicious code on the server and achieve Remote Code Execution (RCE), leading to a level 10 security vulnerability. The proof of concept The vulnerability was demonstrated by Lachlan Davidson, who submitted the following payload:"
On December 3, 2025, a deserialization vulnerability in React Server Components (React2Shell, CVE-2025-55182) allowed arbitrary remote code execution on any server running RSC. The bug stemmed from improper deserialization of React server components from Flight payloads, enabling attackers to reconstruct malicious objects that invoked server-side constructors. Proof-of-concept payloads demonstrated full RCE. Exploitation began within hours, with Chinese state-sponsored groups and cryptomining operators targeting vulnerable servers. The incident exposed a subtle design decision in the React Flight protocol that enabled the exploit. Immediate patching, flight payload validation, and hardened deserialization practices are necessary to mitigate the risk.
Read at LogRocket Blog
Unable to calculate read time
Collection
[
|
...
]