{"id":4286,"date":"2025-12-09T05:44:11","date_gmt":"2025-12-09T05:44:11","guid":{"rendered":"https:\/\/certera.com\/blog\/?p=4286"},"modified":"2025-12-09T05:44:12","modified_gmt":"2025-12-09T05:44:12","slug":"cve-2025-55182-new-react2shell-vulnerability-puts-millions-of-sites-at-risk","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/cve-2025-55182-new-react2shell-vulnerability-puts-millions-of-sites-at-risk\/","title":{"rendered":"CVE-2025-55182: New React2Shell Vulnerability Puts Millions of Sites at Risk"},"content":{"rendered":"\n

A Scenario<\/h2>\n\n\n\n

One day, you woke up to find your site being controlled by a hacker, and it was all due to a secret breach in your code. That is precisely what is horrifying about the React2Shell (CVE-2025-55182). <\/p>\n\n\n\n

React2Shell (CVE-2025-55182) new bug in a widely popular web framework, React (but it applies to any software that can be sent to your own server by an attacker), that allows the attacker to just execute any code on your server without necessarily having to log in. Simply put, it is equivalent to leaving a backdoor on your site.<\/p>\n\n\n\n

All companies that use React (or Next.js or other frameworks) should be aware of this critical vulnerability as soon as possible.<\/p>\n\n\n\n

Why React2Shell is Serious?<\/h2>\n\n\n\n

Security experts have given it a CVSS score of 10.0 (Critical).<\/strong> In other words, it has the maximum \u201cdanger\u201d rating for cyber flaws. If your site uses React\u2019s server components (the behind-the-scenes code that powers interactive features), this bug could let a stranger slip malicious commands into your server. <\/p>\n\n\n\n

As one security bulletin bluntly states, \u201cIf your app supports React Server Components<\/strong>, you are likely vulnerable out of the box\u2026 Patch immediately<\/strong>\u201d.<\/p>\n\n\n\n

What Is React2Shell (CVE-2025-55182)?<\/h2>\n\n\n\n

React2Shell is a weakness in React Server Components \u2013 the part of React that runs on your web server (not in the user\u2019s browser). Normally, React safely handles data sent between the site and the server. But React2Shell is a flaw in that process. <\/p>\n\n\n\n

In technical terms, it\u2019s an \u201cunsafe deserialization<\/strong>\u201d vulnerability, which simply means the server is trusting input it shouldn\u2019t. A hacker can craft a special data packet and send it to your server as if it were a normal request. <\/p>\n\n\n\n

React accidentally treats that malicious packet like a real command and executes it. The result? With Remote Code Execution (RCE), the attacker can run any code they want on your server, like a ghost writer taking over your computer.<\/p>\n\n\n\n

React\u2019s own developers and security researchers discovered this flaw in late November 2025 and promptly disclosed it. The official React team confirmed that even apps with default settings could be at risk. In fact, they urged everyone: \u201cWe recommend upgrading immediately<\/a>\u201d<\/strong>.<\/p>\n\n\n\n

Why You Should Care: A 10.0 Critical Alert<\/h2>\n\n\n\n

This isn\u2019t just theory; real hackers are already exploiting React2Shell. Within hours of public disclosure, Amazon\u2019s security team observed<\/strong> multiple China-linked hacker groups (like Earth Lamia and Jackpot Panda) scanning for and trying to use React2Shell in the wild. These groups are notorious. They often hit organisations around the globe right after a new exploit is revealed. <\/p>\n\n\n\n

AWS even noted that while<\/strong> they have web filters and firewalls catching some attempts, those measures are no substitute for patching the code. As AWS bluntly puts it, if you run React or Next.js on your own servers or cloud containers, \u201cyou must update vulnerable applications immediately\u201d.<\/p>\n\n\n\n

The server of your website is a vault. React2Shell is another form of lockpick that thieves have learned. A burglar may dance in with that key. Practically, a hacker might steal your valuable data, defame your site, install malware, or even begin to mine cryptocurrency on your computer. <\/p>\n\n\n\n

Security researchers have already evidenced this. Crypto-miners were mined on some of the compromised Cloud servers. All this could not have been imagined were the vulnerability had been first patched.<\/p>\n\n\n\n

React2Shell puts your Company in Direct Danger<\/h2>\n\n\n\n

Any organisation that relies on the compromised versions of React or Next.js may experience a breach, downtime, or even more. As proof-of-concept exploits are now publicly available, and automated scanners are available, the clock is so much better. The industry is being urged by experts to consider the same as an emergency for all companies.<\/p>\n\n\n\n

How React2Shell Attacks Work?<\/h2>\n\n\n\n

The technical root cause of React2Shell is \u201cunsafe deserialization\u201d. <\/p>\n\n\n\n