✅ Report Title: React2Shell Vulnerability Analysis: CVE-2025-55182
✅ Executive Summary:
- This report analyzes the React2Shell vulnerability identified in React Server Components (RSC).
- The vulnerability is an unauthenticated remote code execution issue caused by insufficient input validation during the deserialization of Flight protocol data.
📌 What Is the Root Cause of the Vulnerability?
- The vulnerability occurs due to unsafe deserialization performed without proper validation of user input.
- The parseModelString and getOutlinedModel functions deserialize user-supplied input without validating prototype-related properties.
- By referencing chunks using the $@ and $ symbols, Prototype Pollution can be triggered.
- Through this process, the prototypes of all objects within a React application can be modified, potentially leading to remote code execution.
parseModelString function
getOutlinedModel function
📌 How Can This Vulnerability Be Exploited?(Attack Scenario)
- A threat actor identifies a front-end service using React or Next.js.
- The attacker generates a payload that loads a chunk together with data designed to overwrite the chunk’s prototype and sends it to the React server.
- The generated payload is delivered to a service running a vulnerable version of React or Next.js.
- As the payload is deserialized, the attacker can gain control over the React or Next.js server.
📌 React2Shell Vulnerability Timeline
| Date | Details |
|---|---|
| 2025.11.29. | Vulnerability reported to Meta |
| 2025.12.03. | Vulnerability publicly disclosed |
| 2025.12.03. | Patch released |
| 2025.12.04. | PoC and exploit code released |
| 2025.12.06. | In-the-wild exploitation confirmed via CISA KEV |
| 2025.12.10. | Exploitation activity associated with North Korea–related threat group UNC5342 identified |
| 2025.12.10. | Exploitation activity associated with China-related threat groups identified |
| 2025.12.13. | China-related threat group names identified (UNC6600, UNC6588, UNC6603, UNC6595) |
| 2025.12.16. | Exploitation activity associated with the Lazarus group identified |
| 2025.12.18. | Exploitation activity associated with Weaxor ransomware identified |
📌 Affected Versions
- 19.0 ≤ React < 19.0.1
- 19.1.0 ≤ React < 19.1.2
- 19.2.0 ≤ React < 19.2.1
- Next.js (canary releases) ≥ 14.3.0-canary.77
- 15.0 ≤ Next.js < 15.0.5
- 15.1.0 ≤ Next.js < 15.1.9
- 15.2.0 ≤ Next.js < 15.2.6
- 15.3.0 ≤ Next.js < 15.3.6
- 15.4.0 ≤ Next.js < 15.4.8
- 15.5.0 ≤ Next.js < 15.5.7
- 15.6.0 ≤ Next.js < 15.6.0-canary.58
- 16.0 ≤ Next.js < 16.0.7
✅ Recommended Threat Detection and Mitigation Actions:
- If vulnerable versions of React Server Components are in use, upgrading to the latest patched versions is strongly recommended.
- If patching is not possible, temporarily suspending the service or restricting external network access is recommended.
- As critical vulnerabilities can be discovered at any time in widely used software, preparation for potential vulnerabilities is necessary.
- Regular identification and management of externally exposed services are recommended.
🧑💻 Author: S2W TALON
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request or with a subscription to the S2W platform.