React2Shell Vulnerability Being Actively Exploited (CVE-2025-55182)

Latest Posts
Threats
Vulnerabilities

React2Shell Vulnerability Being Actively Exploited (CVE-2025-55182)

by Mike Puglia

2 min read

A remote code execution (RCE) vulnerability exists React Server Components protocol version 19.0.0 to 19.2.0 (CVE-2025-55182) and also impacts the downstream Next.js applications using the App Router ( CVE-2025-66478). The vulnerability has been assigned a CVSS Score of 10 out of 10, the highest possible severity and being actively exploited worldwide (CISA Known Exploited Vulnerabilities Catalog). This allows remote attackers, without any need for authentication, to send a specially crafted message to a vulnerable website and execute remote code -typically dropping a shell on the server giving the attacker complete control of the system.

What is React, Impact and Mitigation

React is one of the most popular javascript UI frameworks and holds approximately a 40% share of the javascript market and it is estimated that 39% of cloud environments were running a vulnerable version of React or Next.js which results in potentially millions of web facing systems being vulnerable (with trivial exploits available).

Many cloud hosting providers have updated their WAF rules to block exploit traffic in order to mitigate this threat. This includes Google (Google Armor and Application Load Balancer) , Cloudflare (Cloudflare WAF) and AWS (AWS WAF).

While WAF configurations provide temporary mitigation, it does not allievate the need to resolve the issue by patching. Please refer to vendor patch recommendations below:

React: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Next.js https://nextjs.org/blog/CVE-2025-66478

Detection

Both RocketCyber and Datto EDR actively monitor for suspicious/malicious shells. However, patching is the only way to resolve the vulnerability as it can allow the execution of any code.

In most cases, we do not see MSPs or SMBs building applications with React where they control the servers, however, they may use 3rd party hosted applications and should contact the vendor.

Assetnote has made a network scanner to detect applications that are vulnerable and they have made it available at the following link: https://github.com/assetnote/react2shell-scanner

Kaseya Labs as create as-is scripts for Linux and Windows (Powershell) that can be run on servers under your control to check for the presence of React and Next.js files and returns the version.

react-next-detection-scriptsDownload

Mike Puglia

General Manager, Security Products

Mike Puglia brings over 25 years of technology, strategy, and cybersecurity experience to his role as Kaseya’s General Manager of Security Products. He is responsible for all products across Kaseya’s portfolio of security solutions.

Prior to joining Kaseya, Mike led the technical program management integration of real-time collaboration technologies into Salesforce’s Chatter Social Enterprise platform. Earlier in his career, Mike served in technical and product roles at applications security company Veracode, database security company Lumigent Technologies and network security Bluesocket.

Mike holds a Bachelor of Science in Electrical Engineering from the University of New Hampshire and an MBA from the Carroll Graduate School of Management at Boston College.