{"uuid": "6739b288-995a-4f1a-9f03-5d1ced3a8fbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "React2Shell", "description": "### React2Shell (CVE-2025-55182)\n\n#### What?\n\nA 10.0 critical severity vulnerablility affecting server-side use of React.js, tracked as [CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) in React.js and [CVE-2025-66478](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp) specifically for the Next.js framework.\n\nThis vulnerability was responsibly disclosed by myself, [Lachlan Davidson](https://github.com/lachlan2k) on 29 November 2025 PT to the Meta team. Initial disclosure and patch release was performed by React and Vercel on 3 December 2025 PT.\n\n#### Update: Proof-of-Concepts\n\nA real public PoC began circulating after around 30 hours from initial disclosure, I've now shared my [PoCs](https://github.com/lachlan2k/React2Shell-CVE-2025-55182-original-poc) several hours later. Full writeup in due course :)\n\n#### Update: A note on scanners (4 December 20:55 UTC)\n\n\nWe've seen some great scanners from the likes of Assetnote, which are very effective at detecting unpatched Next.js instances that use Server Components.\n\nHowever, there's another nuance that we'd like to highlight: The day-0 protections from some providers are actually runtime-level, and not just WAF rules. So many customers with theoretically vulnerable versions are, to our knowledge, still protected.\n\nWe're aware of many submissions to Bug Bounty programs, etc. based on these scanner outputs, many of which may be false positives. Unfortuantely, at this point in time, we cannot share any methods to concretely identify with certainity if you are vulnerable. So when in doubt: patch!\n\n#### Update: A note on invalid PoCs (4 December 03:25 UTC)\n\nWe have seen a rapid trend of \"Proof of Concepts\" spreading which are not genuine PoCs.\n\nAnything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed \"PoCs\" are vm#runInThisContext, child\\_process#exec, and fs#writeFile.\n\nThis would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.\n\nMany of these \"PoCs\" have been referenced in publications, and even some vulnerability aggregators. We are concerned that these may lead to false negatives when evaluating if a service is vulnerable, or lead to unpreparedness if or when a genuine PoC surfaces.\n\n### Am I affected?\n\n\nRefer to vendor advisories from [React](https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r) and [Next.js](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp).\n\n\n### What happened to CVE-2025-66478?\n\nThis CVE was (technically correctly) marked as a duplicate of CVE-2025-55182.\n\nThe decision to publish a second CVE for Next.js was made due to these exceptional circumstsances: Next.js does not include React as a traditional dependency - instead, they bundle it \"vendored\". So, if you're using Next.js, many dependency tools do not automatically recognise it as vulnerable.\n\n\n### Aditional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)\n\nDenial of Service - High Severity: CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5)\n\n(CVE-2025-55184 was incompletely fixed, leading to the\nfull fixes being tracked under CVE-2025-67779.)\n\n\"Security researchers have discovered that a malicious\nHTTP request can be crafted and sent to any Server\nFunctions endpoint that, when deserialized by React,\ncan cause an infinite loop that hangs the server\nprocess and consumes CPU. Even if your app does not\nimplement any React Server Function endpoints it may\nstill be vulnerable if your app supports React Server\nComponents.\n\nThis creates a vulnerability vector where an attacker\nmay be able to deny users from accessing the product,\nand potentially have a  performance impact on the\nserver environment.\"\n\n\nSource Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3)", "creation_timestamp": "2025-12-05T13:54:28.321487+00:00", "timestamp": "2025-12-15T06:53:39.109019+00:00", "related_vulnerabilities": ["CVE-2025-55184", "GHSA-9qr9-h5gf-34mp", "GHSA-fv66-9v8q-g76r", "CVE-2025-55182", "CVE-2025-66478", "CVE-2025-55183", "CVE-2025-67779"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}