CVE-2025-55182 Proof of Concept: Understanding the React2Shell Vulnerability

In the world of web development security the CVE-2025-55182 proof of concept has emerged as a critical topic for developers and security professionals alike. This vulnerability known as React2Shell affects React Server Components and poses a severe risk of remote code execution. With a CVSS score of 10.0 it demands immediate attention from anyone using React or frameworks like Next.js. In this article we explore the details of CVE-2025-55182 proof of concept including how it works available exploits and steps to mitigate it.

What is CVE-2025-55182

CVE-2025-55182 is a remote code execution vulnerability in React Server Components and the Flight serialization protocol. It allows unauthenticated attackers to execute arbitrary code on servers through crafted HTTP requests. This flaw impacts React versions 19.0.0 to 19.2.0 and extends to popular frameworks such as Next.js versions 15.x to 16.0.6. The vulnerability arises from unsafe deserialization of client sent payloads enabling prototype chain manipulation during the process. Read more: securitylabs.datadoghq.com

Discovered by researcher Lachlan Davidson and disclosed on November 29 2025 patches were released shortly after on December 3 2025. It affects millions of websites with estimates suggesting over 55 million React based sites are at risk. Cloud environments show around 39 percent running vulnerable instances making it comparable to high profile vulnerabilities like Log4Shell in terms of severity and ease of exploitation. Read more: wiz.io

How the React2Shell Vulnerability Works

The core issue in CVE-2025-55182 lies in the deserialization process within React Server Components. Attackers can send specially crafted payloads to server function endpoints exploiting the Flight protocol. This leads to code injection with server level privileges. No authentication is required and it functions under default configurations amplifying its threat level. ~ dynatrace.com

Key affected components include React Router RSC Redwood SDK Waku and RSC plugins for Vite and Parcel. The exploit often involves manipulating Chunk.prototype.then resolutions or using Blobs for deserialization injections. This can result in full server compromise including data exfiltration or further network pivoting. ~ offsec.com

CVE-2025-55182 Proof of Concept Details

Public proof of concept exploits for CVE-2025-55182 surfaced quickly after disclosure accelerating potential attacks. The first notable POC was published on December 4 2025 by researcher maple3142 demonstrating RCE on Next.js 16.0.6 via multipart requests and crafted Flight payloads. ~ github.com

Lachlan Davidsons original POC includes benign gadget tests and full RCE chains shared pre disclosure in hashed form. Several GitHub repositories host these POCs for educational and testing purposes:

• l4rm4nd/CVE-2025-55182: A Docker based lab for detection and exploitation

• lachlan2k/React2Shell-CVE-2025-55182-original-poc: Original proof of concepts for React2Shell.

• clevernyyyy/CVE-2025-55182-Dockerized: A containerized version for safe testing.

Other repositories like msanfts work and packetstorms listings provide scripts for command execution such as id or whoami. Detection tools include aspen labs CVE-2025-55182 checker a harmless scanner for RSC endpoints and Nuclei modules for header based identification like Vary RSC Next Router State Tree. Read also: trendmicro.com

Shodan and Censys queries reveal thousands of exposed instances with searches like http.headers.vary RSC AND http.headers.vary Next Router State Tree showing over 77000 IPs vulnerable.

These CVE-2025-55182 proof of concept examples are intended for authorized testing only. Misuse can violate laws such as the Computer Fraud and Abuse Act.

Exploitation in the Wild and Recent News

Exploitation of CVE-2025-55182 began within hours of its disclosure on December 3 2025. By December 5 2025 China linked groups like Earth Lamia and Jackpot Panda were actively scanning and exploiting using automated tools with evasion tactics such as user agent randomization. Read also: cloud.google.com

Wiz reports over 30 organizations compromised often leading to crypto mining botnets like Monero via c3pool.org. GreyNoise detected botnet integrations including Mirai variants with new IPs surging in scans. Real world incidents include server takeovers with high CPU from miners persistence via cron or systemd and root Docker escalations. Read more: picussecurity.com

On X platforms users shared warnings and POCs. For instance DCOneCrypto alerted the Cardano community about potential DeFi risks while CSIRT Italia noted increased risk due to public POCs.

Vendor responses include patches from React and Next.js with Vercel and Netlify offering auto mitigations. Cloud providers like AWS deployed WAF rules while Cloudflare adjusted payload limits though it caused brief outages.

CISA added it to the Known Exploited Vulnerabilities catalog on December 5 2025 with a federal patching deadline of February 4 2026.

Mitigation Strategies for CVE-2025-55182

To protect against CVE-2025-55182 proof of concept exploits upgrade immediately to patched versions: React 19.0.1 19.1.2 or 19.2.1 and Next.js 15.0.5, 16.0.7 or higher. Audit dependencies with commands like npm ls react and redeploy applications.

Implement Web Application Firewall rules such as AWSManagedRulesKnownBadInputsRuleSet. Run applications non root for example using USER nextjs in Dockerfiles. Monitor for anomalies like CPU spikes or unusual network traffic with tools like CloudWatch or AppArmor.

Long term validate deserialization in serverless setups and use software composition analysis tools like Aikido for ongoing tracking. Simulation testing is recommended to avoid false positives in early detections.

Conclusion

The CVE-2025-55182 proof of concept underscores the risks in modern web frameworks emphasizing the need for swift patching and vigilant monitoring. By understanding this vulnerability and applying mitigations organizations can safeguard their systems against remote code execution threats.

Sources

• https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/

• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

• https://www.dynatrace.com/news/blog/cve-2025-55182-react2shell-critical-vulnerability-what-it-is-and-what-to-do/

• https://www.offsec.com/blog/cve-2025-55182/

• https://github.com/l4rm4nd/CVE-2025-55182

• https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

• https://www.trendmicro.com/en_us/research/25/l/critical-react-server-components-vulnerability.html

• https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182

• https://www.picussecurity.com/resource/blog/react-flight-protocol-rce-vulnerability-cve-2025-55182-and-cve-2025-66478-explained

• https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc

• https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3

• https://github.com/clevernyyyy/CVE-2025-55182-Dockerized