“A critical vulnerability has been identified in the React Server Components (RSC) protocol…” If you’re using regular react without any framework that has RSC , then this does not affect you. Answer from yggbrasil on reddit.com
React
react.dev › blog › 2025 › 12 › 03 › critical-security-vulnerability-in-react-server-components
Critical Security Vulnerability in React Server Components – React
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
React
react.dev › blog › 2025 › 12 › 11 › denial-of-service-and-source-code-exposure-in-react-server-components
Denial of Service and Source Code Exposure in React Server Components – React
CVEs: CVE-2026-23864 Base Score: 7.5 (High) Date: January 26, 2026 · Security researchers discovered additional DoS vulnerabilities still exist in React Server Components.
Security Advisory: CVE-2025-66478 — Does it affect projects using only React on the frontend?
“A critical vulnerability has been identified in the React Server Components (RSC) protocol…” If you’re using regular react without any framework that has RSC , then this does not affect you. More on reddit.com
14
3
December 10, 2025CVE-2025-55182 - React exploit - brown alert time?
You're fine. Nobody coding in React has updated their dependencies in months if not years. :lolsob: More on reddit.com
15
84
December 4, 2025Security Check Recommended (CVE-2025-55182): Please review your application's dependencies. If you are running React or Next.js
This does not affect client-side React right? More on reddit.com
15
39
December 6, 2025Technischer Deep Dive in CVE-2025-55182 (React2Shell ...
Videos
03:57
React.js shell shocked by 10.0 critical vulnerability… - YouTube
12:22
Everyone's Talking About This React Exploit - YouTube
07:31
React’s Worst Vulnerability Ever (RCE Exploit Explained) - YouTube
05:27
It Happened Again... 2 New React CVE's - YouTube
11:14
Next.js & React vulnerability will break the internet - YouTube
19:43
React RCE Attack Explained - Critical Vulnerability CVSS 10.0 - ...
Microsoft
microsoft.com › home › defending against the cve-2025-55182 (react2shell) vulnerability in react server components
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components | Microsoft Security Blog
December 15, 2025 - CVE-2025-55182 (also referred to as React2Shell and includes CVE-2025-66478, which was merged into it) is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks.
Palo Alto Networks
unit42.paloaltonetworks.com › cve-2025-55182-react-and-cve-2025-66478-next
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
December 12, 2025 - CVE-2025-55182 is classified as Critical (CVSS 10.0) and is caused by insecure deserialization within the RSC architecture, specifically involving the Flight protocol. The vulnerability resides in the react-server package and its implementation ...
Vercel
vercel.com › changelog › cve-2025-55182
Summary of CVE-2025-55182 - Vercel
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478).
Wiz
wiz.io › blog › critical-vulnerability-in-react-cve-2025-55182
React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog
December 3, 2025 - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. Assigned CVE-2025-55182, this flaw allows for ...
Trend Micro
trendmicro.com › en_us › research › 25 › l › critical-react-server-components-vulnerability.html
Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to Know | Trend Micro (US)
December 5, 2025 - CVE-2025-55182 represents a flaw in how React Server Components handle data deserialization. The vulnerability exists in the core payload decoding mechanism that processes HTTP requests to endpoints running React Server Components.
Reddit
reddit.com › r/reactjs › security advisory: cve-2025-66478 — does it affect projects using only react on the frontend?
r/reactjs on Reddit: Security Advisory: CVE-2025-66478 — Does it affect projects using only React on the frontend?
December 10, 2025 -
I came across a security advisory for CVE-2025-66478 related to Next.js, and I'm trying to figure out whether this vulnerability impacts projects that use only React on the frontend (no Next.js, no server components, just plain React).
Does this CVE apply strictly to Next.js environments, or should React-only projects also be concerned? Just want to be sure before I panic-upgrade everything.
Top answer 1 of 10
30
“A critical vulnerability has been identified in the React Server Components (RSC) protocol…” If you’re using regular react without any framework that has RSC , then this does not affect you.
2 of 10
6
Upgrade either way. If you are affected, that means you are already on 19.x, so an upgrade to 19.2.1 should be a matter of minutes and will likely also fix other bugs that might affect you. Generally: If you don't run a server with your app, but just ship JS from a static file server, you're probably safe - but upgrading is so painless in this case it doesn't make sense to even think about not doing it.
Cisco Security
sec.cloudapps.cisco.com › security › center › content › CiscoSecurityAdvisory › cisco-sa-react-flight-TYw32Ddb
Cisco Security Advisory: Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025
On December 3, 2025, the React team released a security advisory regarding a vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system. For a description of this vulnerability, see ...
CVE
cve.org › CVERecord › SearchResults
CVE: Common Vulnerabilities and Exposures
Common vulnerabilities and Exposures (CVE) · We're sorry but the CVE Website doesn't work properly without JavaScript enabled. Please enable it to continue
Cloudflare
blog.cloudflare.com › react2shell-rsc-vulnerabilities-exploitation-threat-brief
React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques
December 11, 2025 - In parallel with our ongoing analysis of the React2Shell vulnerability, two additional vulnerabilities affecting React Server Components (RSC) implementations have been identified: The vulnerability CVE-2025-55184 was recently disclosed, revealing ...
Carnegie Mellon University
cmu.edu › iso › news › 2025 › react2shell-critical-vulnerability.html
News and Events - Computing Services - Office of the CIO - Carnegie Mellon University
Follow our Featured News to stay current with service changes, new service releases, awareness and education on current services and technology. View our calendar to learn about upcoming Computing Services events.
Google Cloud
cloud.google.com › blog › topics › threat-intelligence › threat-actors-exploit-react2shell-cve-2025-55182
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182) | Google Cloud Blog
December 13, 2025 - For information on how Google is protecting customers and mitigation guidance, please refer to our companion blog post, Responding to CVE-2025-55182: Secure your React and Next.js workloads.
Cyber.gov.au
cyber.gov.au › about-us › view-all-content › alerts-and-advisories › critical-vulnerability-in-react-server-components-cve-2025-55182
Critical vulnerability in React Server Components (CVE-2025-55182) | Cyber.gov.au
December 4, 2025 - ASD’s ACSC is aware of a critical vulnerability in React Server Components, which is used extensively in modern web applications. CVE-2025-55182 enables an attacker to achieve unauthenticated Remote Code Execution (RCE) in vulnerable versions of the following packages:
NIST
nvd.nist.gov › vuln › detail › CVE-2025-55182
CVE-2025-55182 Detail - NVD
This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States
Akamai
akamai.com › blog › security research › cve-2025-55182: react and next.js server functions deserialization rce
CVE-2025-55182: React and Next.js Server Functions Deserialization RCE | Akamai
We have been notified by our partners that a newly disclosed vulnerability CVE-2025-55182 affecting multiple React-based frameworks revealed a critical flaw in how React’s Server Functions protocol processes incoming Flight requests.
AWS
aws.amazon.com › blogs › security › china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182
China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) | Amazon Web Services
December 29, 2025 - Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.
OX Security
ox.security › blog › react-cve-2025-55184-67779-55183-react-19-vulnerabilities
React Vulnerabilities Strike Again: Denial Of Service & Information Leakage in Patched Versions of React2Shell - OX Security
December 12, 2025 - This post by OX Research team was ... Server Components (RSC) affecting React versions 19.0.0 through 19.2.2. CVE-2025-55184 and CVE-2025-67779 enable denial of service attacks, while CVE-2025-55183 exposes backend source ...
SOC Prime
socprime.com › soc prime › blog › cve-2025-55183 and cve-2025-55184: new react rsc vulnerabilities expose applications to denial of service attacks and source code leaks
CVE-2025-55183 and CVE-2025-55184: New React RSC Vulnerabilities Expose Applications to Denial of Service Attacks and Source Code Leaks | SOC Prime
December 15, 2025 - A newly disclosed maximum-severity vulnerability in React Server Components (RSC), known as React2Shell (CVE-2025-55182), has rapidly escalated into a serious threat. Multiple China-aligned state-backed groups have been observed exploiting the ...
Aikido
aikido.dev › home › articles › react & next.js dos vulnerability (cve-2025-55184): what you need to fix after react2shell
React & Next.js DoS Vulnerability (CVE-2025-55184) Explained
December 12, 2025 - CVE-2025-55184 is a React Server Components DoS flaw related to React2Shell. Learn who’s affected, how it works, and how to fully patch it.