CVE-2025-55182
Published: December 5, 2025
Official Description
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
CISA KEV Advisory
Meta React Server Components Remote Code Execution Vulnerability
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Risk Analysis
Meta React Server Components are vulnerable to remote code execution due to a flaw in how React decodes payloads to React Server Function endpoints. The high EPSS score of 0.59560 and confirmed exploitation indicate this is a severe threat to applications using these components.
This vulnerability is actively exploited in the wild and is listed in CISA's KEV catalog. It allows for unauthenticated remote code execution.
Apply the latest security updates or patches for Meta React Server Components. Implement robust input validation and secure coding practices to prevent deserialization vulnerabilities.
Technical Analysis
CVE-2025-55182 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Exploit & PoC Resources
News & Research Mentioning CVE-2025-55182
The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report. [xlite_meta score:44 src:The DFIR Report xlite_fp:201a1fd2b6fecceac9f51fb42f8c2abc39a22825ff18db05466da8c234fbcab3]
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...] [xlite_meta score:61 src:BleepingComputer xlite_fp:45230a22f77fd2e8f62ca45d45463d629d4e8f82e08ba60707944643ed05b035]
A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as [xlite_meta score:53 src:The Hacker News xlite_fp:ba56590a7ca7aee6cc4bc056cfbbf55e282914e1934c011e684facc57a338cf9]
December 2025 saw a 120% surge in critical CVEs, with 22 exploited flaws and React2Shell (CVE-2025-55182) dominating threat activity across Meta’s React framework. [xlite_meta score:38 src:Recorded Future Blog xlite_fp:063569aee50e8bb687b5cc7eb752cecc0c81ae4d93f16a60296ff580a6a5521d]
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress. These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and post-compromise behaviors and provides intel
Huntress is seeing threat actors exploit React2Shell (CVE-2025-55182) to deploy a Linux backdoor, a reverse proxy tunnel, and a Go-based post-exploitation implant. [xlite_meta score:43 src:Huntress Blog xlite_fp:8956c247518f90f9aa323422cfd59b5e0d6618ae37857c6bb34c77883f0e48a8]
All References (2)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-55182 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1