React Server Component Remote Code Execution Vulnerability

An unauthenticated attacker could send a malicious HTTP request to a React Server Function endpoint to execute code on the system. According to the vendor, any app using React Server Components could be vulnerable even if React Server Function endpoints are not implemented.

Who is affected?

CVE-2025-55182 impacts the following versions of React Server Components:

Note: Apps implemented with vulnerable versions of React Server Components are vulnerable.

Vulnerable components:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Vulnerable versions:

• 19.0 before 19.0.1
• 19.1.0 before 19.1.2
• 19.2.0 before 19.2.1

What can I do?

Customers should upgrade the vulnerable components to a fixed version or higher as soon as possible.

Vulnerable components:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Fixed versions:

• 19.0.1
• 19.1.2
• 19.2.1

Additional information from the vendor can be found at: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

• IDS: On December 4, 2025, Alert Logic deployed an IDS signature to detect CVE-2025-55182 and CVE-2025-66478.
• IDS: On December 8, 2025, Alert Logic created IDS analytics used by SOC/Threat Hunting to detect React2Shell-based JavaScript payloads, whereby math calculation response values are observed.
• IDS: On December 9, 2025, Alert Logic created IDS analytics used by SOC/Threat Hunting for React2Shell-based JavaScript payloads, whereby digest response values are observed.
• IDS: On December 9, 2025, Alert Logic released an IDS signature to detect generic CVE-2025-55182 (not specific to the Next.js framework implementation). This includes, but is not limited to: React Router RSC preview, Waku, Vite RSC plugin, Parcel RSC plugin, and RedwoodSDK.
• IDS: On December 10, 2025, Alert Logic released an IDS signature for Fast Reverse Proxy-based BackDoor Malware seen in CVE-2025-55182-based attacks.
• FusionVM: On December 10, 2025, Alert Logic released a remote unauthenticated scan check for CVE-2025-55182.
• IP360: On December 11, 2025, Tripwire released remote scan coverage to identify vulnerable instances. The following table identifies matching vulnerabilities.

• Core Impact: On December 11, 2025, Core Security delivered the exploit for this vulnerability to customers. This module uses an insecure deserialization vulnerability in React Server Components to deploy a Core Impact agent.

  The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed, and the vulnerability will be exploited again with a payload that deploys an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent, which will run with the same privileges as the webapp.

• IDS: On December 12, 2025, Alert Logic released an IDS signature for CVE-2025-55183 to detect Information Leaks in React Server.
• Fortra VM: On December 12, 2025, Fortra released a remote unauthenticated check for CVE-2025-55182.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

12/4/2025: IDS signature was deployed to detect CVE-2025-55182 and CVE-2025-66478.

12/8/2025: IDS analytics were created and used by SOC/Threat Hunting for React2Shell-based JavaScript payloads, whereby math calculation response values are observed.

12/9/2025: IDS analytics were created and used by SOC/Threat Hunting for React2Shell-based JavaScript payloads, whereby digest response values are observed.

12/9/2025: IDS signature was released to detect generic CVE-2025-55182.

12/12/2025: Fortra VM remote unauthenticated check for CVE-2025-55182 was released.

12/10/2025: IDS signature was released for Fast Reverse Proxy-based BackDoor Malware seen in CVE-2025-55182-based attacks.

12/10/2025: Remote unauthenticated scan check released for Fusion VM for CVE-2025-55182.

12/11/2025: Remote scan coverage was released to identify vulnerable instances of CVE-2025-55182.

12/11/2025: Core Impact delivered a module to exploit an insecure deserialization vulnerability.

12/12/2025: IDS signature was released for CVE-2025-55183.