Critical RSC Vulnerability in React and Next.js Allows Unauthenticated Remote Code Execution

Du'aine Davis · 2025-12-04T11:12:01+00:00

Observed in the wild * A critical vulnerability (CVE-2025-55182, CVSS 10.0) was disclosed on 3 December, affecting React Server Components (RSC) and frameworks like Next.js. Exploitation could allow unauthenticated remote code execution, impacting applications even if they do not explicitly implement server functions but…

Du'aine Davis

Observed in the wild

A critical vulnerability (CVE-2025-55182, CVSS 10.0) was disclosed on 3 December, affecting React Server Components (RSC) and frameworks like Next.js. Exploitation could allow unauthenticated remote code execution, impacting applications even if they do not explicitly implement server functions but support RSC.
The vulnerability stems from unsafe handling of server-side rendering in RSC, enabling attackers to inject malicious payloads during component rendering. Threat actors can exploit this via crafted HTTP requests targeting RSC endpoints, bypassing traditional client-side controls. The attack leverages npm packages and dependency chains, making detection harder as components run in isolated environments before bundling.
Organisations should immediately update React and Next.js to patched versions and audit npm dependencies. Use Microsoft Defender for Endpoint to monitor anomalous child processes linked to Node.js and npm registry activity. Implement KQL queries to detect suspicious service executions and enforce strict code integrity policies. Additionally, enable advanced threat hunting for indicators of compromise in build pipelines and CI/CD environments.

NVD - CVE-2025-55182 CVSS: 10.0
GitHub - ejpir/CVE-2025-55182-poc: CVE-2025-55182 POC Critical Security Vulnerability in React Server Components – React
Critical RCE Vulnerabilities Discovered in React & Next.js | Wiz Blog

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

China-Nexus Threat Actors Actively Exploiting React2Shell Vulnerability
Observed in the wild

Within hours of CVE-2025-55182 (React2Shell) disclosure on 3 December 2025, AWS detected active exploitation attempts by China state-linked groups (Earth Lamia, Jackpot Panda) targeting React 19.x and Next.js 15.x/16.x with App Router. The flaw enables unauthenticated remote code execution and carries a CVSS score of 10.0.
Threat actors rapidly weaponised public PoCs, using automated scanning and manual exploitation. Observed behaviours include POST requests with next-action or rsc-action-id headers, attempts to execute Linux commands (whoami, id), and file writes to /tmp/pwned.txt.
Organisations are advised to patch React/Next.js immediately to fixed versions. Deploy AWS WAF managed rules (v1.24+) or custom interim rules. Monitor logs for suspicious POST requests and unexpected process execution. Use Microsoft Defender to detect anomalous Node.js behaviour and file modifications.

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | AWS Se…

See what's trending

Click on a tag to discover all the published content related to it.