The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.
According to Wiz Security's analysis, approximately 39% of scanned cloud environments contain vulnerable React instances. More concerning, their research shows that exploitation attempts have a near 100% success rate.
Beyond React Server Components, the vulnerability affects popular frameworks and libraries that bundle react-server, including:
The situation unfolded rapidly:
Recorded Future's Insikt Group has confirmed the involvement of at least one Chinese anonymization network in the exploitation activity. Specifically, they identified a compromised IP address functioning as a node in the GobRAT anonymization network, a tool assessed to be used exclusively by Chinese state-sponsored threat groups.
GobRAT infects hosts with malware that allows threat actors to launch attacks from compromised systems rather than their own infrastructure, providing additional operational anonymity.
Multiple proof-of-concept (PoC) exploits have been published demonstrating how to exploit CVE-2025-55182. The most credible comes from researcher Lachlan Davidson, who initially discovered and disclosed the vulnerability.
Davidson's PoC works by:
While numerous additional PoCs have emerged since disclosure, both Davidson and AWS Security caution that many are of questionable quality and rely on unrealistic victim configurations in most React-based environments.
Organizations using React must act immediately:
Determine whether your publicly accessible React-based applications are vulnerable using Assetnote's react2shell-scanner. You can also check locally by running:
If vulnerable, you should see a critical severity warning about Next.js RCE vulnerability.
The React Team released patches for all affected versions:
Both React and Next.js have published detailed mitigation guidelines.
Consider blocklisting the IP addresses identified in exploitation attempts:
The combination of factors makes this vulnerability particularly dangerous:
Developers implementing React in their tech stacks are strongly advised to determine whether publicly accessible assets using React frameworks are currently vulnerable to CVE-2025-55182. The best way to currently scan for vulnerable assets is by using Assetnote's react2shell-scanner; however, the tool is associated with false positives, so patching is necessary in instances where vulnerability is disputed. DataDog Security Labs also notes that the vulnerability can be identified locally by running the command "npm run audit," which should respond with the following message if your current local version of React is vulnerable:
Due to the responsible disclosure of CVE-2025-55182, a patch for all affected versions of React is available. Both React and Next.js have published mitigation guidelines to follow, which can be found here:
Given the severity and active exploitation, patching vulnerable React deployments should be treated as an urgent priority. The window between vulnerability disclosure and widespread exploitation continues to shrink, and threat actors are moving quickly to capitalize on unpatched systems.
Additionally, customers should consider deny-listing the IP addresses disclosed by AWS as involved in React2Shell exploitation.