{“lastseen”:”2025-12-11T08:05:08″,”description”:”On December 3, 2025, a critical remote code execution (RCE) vulnerability, dubbed \\”React2Shell,\\” was disclosed, impacting React Server Components and frameworks like Next.js. The flaw, CVE-2025-55182, could lead to full server takeover and is rated CVSS 10.0. It is under active exploitation, has been added to the CISA KEV, and organizations should take immediate steps to remediate.\\n\\n**IMPORTANT NOTE FOR CUSTOMERS -** \\nQualys Products and Platforms are safe from React2Shell (CVE-2025-55182) and are not affected. While certain products do use the vulnerable versions of React and Next.js, preventative in-line mitigations are in place and designed specifically to address the risk posed by this vulnerability. As we prioritize releases to eliminate the use of these vulnerable versions in the limited products that leverage the dependencies. For more information, please contact Qualys Support.\\n\\n\\u003e ## Understanding React Server Components (RSC)\\n\\nReact Server Components (RSC) enable developers to run parts of a React application\u2019s rendering logic on the server \u2014 rather than the browser \u2014 which reduces client-side complexity and improves performance. Under the hood, RSC uses a serialization\/deserialization protocol called \u201cFlight\u201d to shuttle component trees and server-function calls between client and server. Because RSC is broadly implemented across popular frameworks and bundlers, a wide range of modern web apps rely on it\u2014including those built with Next.js, RSC plugins for bundlers like webpack, Turbopack, and Parcel, as well as frameworks such as Vite, Waku, and Redwood.\\n\\n## Decoding React2Shell \u2013 CVE-2025-55182\\n\\nDisclosed on December 3, 2025, CVE\u20112025\u201155182 (**dubbed \u201cReact2Shell\u201d as a reference to the 2021 flaw \u201cLog4Shell\u201d and rated CVSS 10.0**) affects React 19.0.0\u201319.2.0 and any framework leveraging React Server Components. The issue lies in how React\u2019s internal Flight protocol serializes and deserializes \u201ccomponent trees\u201d \u2014 the data structures that describe how UI components should be rendered on the server. During this process, React\u2019s server\u2011side decoder fails to validate incoming payloads, allowing attackers to inject arbitrary objects that are then deserialized in privileged server contexts.\\n\\nWhat makes CVE\u20112025\u201155182 especially dangerous is that React\u2019s server runtime was never built to handle untrusted input. Traditionally, client input is sanitized and filtered by APIs before any server logic is executed. By contrast, React Server Components \u2014 a core feature introduced for performance \u2014 blurred that separation, allowing serialized data representing app state to travel directly between client and server. Because many RSC-based frameworks embed React\u2019s vulnerable deserialization logic, this impacts a broad ecosystem \u2014 including Next.js. Consequently, Next.js issued a separate (but upstream-rooted) advisory under CVE-2025-66478 to track its exposure.\\n\\n## Applications \\u0026 Software Affected\\n\\nApplications using React Server Components with the App Router are affected when running the following versions:\\n\\n * Next.js 15.x\\n * Next.js 16.x\\n * Next.js 14.3.0-canary.77 and later canary releases\\n\\n\\n\\n### **Affected Software Versions**\\n\\n * react-server-dom-parcel versions 19.0, 19.1.0, 19.1.1 and 19.2.0\\n * react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1 and 19.2.0\\n * react-server-dom-webpack versions 19.0, 19.1.0, 19.1.1 and 19.2.0\\n\\n\\n\\nPlease note that an application is not affected by the vulnerability if application\u2019s code does not use a framework, bundler, or bundler plugin that supports React Server Components.\\n\\n * Next.js 15.x\\n * Next.js 16.x\\n * Next.js 14.3.0-canary.77 and later canary releases\\n * Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected.\\n\\n\\n\\n## Exploitation in the Wild \u2013 How Attackers are Executing the Attack\\n\\nTelemetry from multiple vendors shows that CVE\u20112025\u201155182 went from disclosure to active exploitation in hours, with automated scanners and hands\u2011on\u2011keyboard operators both leveraging the bug. Attackers focus primarily on internet\u2011facing Next.js frontends and other RSC workloads running in cloud environments such as Kubernetes clusters and managed PaaS platforms.\u200b\\n\\nOnce React2Shell delivers an interactive shell inside a container or VM, common behaviors include:\\n\\n * **Environment and identity discovery** : executing commands like whoami, hostname, environment variable dumps, and browsing \/etc\/passwd to profile the host and execution context.\u200b\\n * **DNS and HTTP beaconing** : using oast\u2011style domains and callback infrastructure to verify outbound connectivity and fingerprint environments, often exfiltrating environment variables and host metadata.\u200b\\n * **Reverse shells** : pivoting from one\u2011off command tests to long\u2011lived reverse shells that give operators persistent, interactive access to the Node.js \/ Next.js process.\\n\\n\\n\\nAttackers have been able to execute various monetization and persistence tactics, including:\\n\\n * Deploying XMRig\u2011based cryptominers, sometimes packed or disguised as system processes, often combined with scripts that kill competing miners and try local privilege escalation.\u200b\\n * Using installer scripts from third\u2011party pools and lightweight persistence tricks (for example, running miners under names like crond or systemd-devd in writable directories).\u200b\\n * Installing Sliver implants and other backdoors via shell scripts that fetch ELF payloads and connect to dedicated command\u2011and\u2011control infrastructure, indicating more targeted, long\u2011term access operations.\\n\\n\\n\\n## Mitigating This Vulnerability\\n\\nCustomers must upgrade to the following patched versions to address the vulnerabilities:\\n\\n * react-server-dom-parcel 19.0.1, 19.1.2, 19.2.1\\n * react-server-dom-turbopack 19.0.1, 19.1.2, 19.2.1\\n * react-server-dom-webpack 19.0.1, 19.1.2, 19.2.1\\n * Next.js releases 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\\n\\n\\n\\n## Threat Landscape and Business Risk\\n\\nOur recent blog highlights that weaknesses in the Flight protocol\u2019s handling of serialized payloads allow attackers to bypass validation and deliver crafted requests that lead directly to remote code execution. Additional advisories further confirm that the flaw impacts widely used frameworks beyond just React or Next.js; any bundler or plugin that integrates RSC (e.g., Vite, Waku, Parcel, etc.) may be affected. This vulnerability is being actively exploited in the wild, including:\\n\\n * Known threat actors \u2014 including China-nexus groups \u2014 have rapidly weaponized \u201cReact2Shell\u201d in automated attacks targeting internet-facing applications.\\n * Observed attack activity includes credential harvesting, cloud-native backdoor deployment, and opportunistic cryptomining.\\n * Given how widespread React\/Next.js is (over 2.1 million websites\/applications, many in cloud environments), any unpatched system remains a high-value target.\\n\\n\\n\\nFrom a business continuity perspective, exploitation could lead to full server takeover, theft of sensitive data or secrets, unauthorized persistence, compliance violations, and large-scale disruption of web services. Cyber risk quantification technologies like Qualys Enterprise TruRiskTM Management (ETM) can help identify dollars at risk from vulnerabilities like React2Shell. ETM also leverages Qualys TruRiskTM prioritization to identify the most critical exposures to resolve.\\n\\n## **Qualys QID Coverage**\\n\\nQualys has released the QIDs in the table below for the above-mentioned vulnerabilities.\\n\\n**Type**| **QID**| **Title** \\n—|—|— \\n**SwCA** **(applies to hosts and container images)**| 5006447| NodeJs (Npm) Security Update for react-server-dom-parcel (GHSA-fv66-9v8q-g76r) \\n5006445 | NodeJs (Npm) Security Update for next (GHSA-9qr9-h5gf-34mp) \\n**Unauthenticated Scan**| 733480| React Server Components (RSC) Remote Code Execution (RCE) Vulnerability (React2Shell) (Unauthenticated Check) \\n**Cloud Agent QID**| 386154| React Server Dom Component NPM Package Remote Code Execution (RCE) Vulnerability \\n**WebApp\/AppSec QID**| 530712| React Server Components Remote Code Execution (RCE) Vulnerability (CVE-2025-55182) (React2Shell) \\n \\nCustomers can also search for this vulnerability by CVE ID: **CVE-2025-55182** (e.g., in VMDR – **vulnerabilities.vulnerability.cveIds: CVE-2025-55182)**.\\n\\n## Eliminating the Risk of these Vulnerabilities with the Qualys Enterprise TruRiskTM Platform\\n\\n### **Attack Surface Visibility**\\n\\nWith Qualys CSAM and EASM, externally exposed Next.js applications with this critical vulnerability are automatically surfaced. In addition, you can search by software component name to identify for example where react-server-dom, the vulnerable software, is running in your environment.\\n\\n\\n\\n### **Identify and Respond to Vulnerable Hosts With Qualys VMDR**\\n\\nQualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks. Additionally, Qualys customers can leverage Qualys Patch Management to remediate these vulnerabilities effectively.\\n\\nLeverage the power of Qualys VMDR alongside TruRisk scoring and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.\\n\\n**Use this QQL statement: vulnerabilities.vulnerability.cveIds: CVE-2025-55182**\\n\\n\\n\\nWith detailed Software Composition Analysis across hosts, containers, and images, Qualys provides detailed install path information on the location of the vulnerability across any asset, enabling security and development teams to take swift action quickly.\\n\\n\\n\\n### **Identify Exposed Containers\/Images and Block Vulnerable Deployments With Qualys Kubernetes \\u0026 Containers Security (KCS)**\\n\\nUsing Qualys Kubernetes \\u0026 Containers Security (KCS), customers can identify containers and images with this vulnerability.\\n\\n\\n\\nKCS can also give visibility into the specific image layer where the vulnerability was found, as well as the specific install path in the image.\\n\\n \\n\\nUsing Qualys Admission Controllers and Image Admission Policies, you can add this vulnerability to ensure that it is not deployed to any new container and\/or blocked from being used in any container image built by your development teams.\\n\\n\\n\\n### Identify Vulnerable Web Apps With TotalAppSec\\n\\nCustomers can also run an on-demand or scheduled vulnerability scan with Qualys TotalAppSec or Qualys Web Application Scanning (WAS), enabling instant discovery of vulnerable web apps. From there, application owners can be identified to enable faster remediation.\\n\\n   \\n\\n### Remediate at Scale With TruRiskTM Eliminate\\n\\nTruRisk Eliminate offers a comprehensive risk reduction solution designed to help security and IT teams proactively address nearly 100% of CISA KEVs and ransomware vulnerabilities.\\n\\nTo address Reach Server Component vulnerabilities, leverage Qualys TruRisk Eliminate to:\\n\\n * Patch these vulnerabilities, or\\n * Apply out-of-the-box mitigations until a patch can be deployed\\n\\n\\n\\nBecause these vulnerabilities are Qualys patchable, you should immediately deploy the patches and fix them. Relevant patches were added to the Qualys patch catalog and are ready to be deployed using the Qualys agent.\\n\\nFor an in-depth technical blog post, visit our Threat Protect post on this vulnerability.\\n\\n## Contributors\\n\\n * Abhinav Mishra, Director, Product Management, TotalCloud Kubernetes and Container Security, Qualys”,”published”:”2025-12-11T07:41:39″,”modified”:”2025-12-11T07:41:39″,”type”:”qualysblog”,”title”:”React2Shell: Decoding CVE-2025-55182 \u2013 The Silent Threat in React Server Components”,”source”:””,”references”:””,”id”:”QUALYSBLOG:00C0A1ADB5DD411269BE0AEAF621221B”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-55182″,”CVE-2025-66478″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/vulnerabilities-threat-research”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-11T08:05:08″,”description”:”On December 3, 2025, a critical remote code execution (RCE) vulnerability, dubbed \\”React2Shell,\\” was disclosed, impacting React Server Components and frameworks like Next.js. The flaw,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,36,12,13,120,7,11,5],"class_list":["post-30334","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n