Black Arrow Cyber Advisory - 08 December 2025 – React2Shell Vulnerability Actively Exploited in Web Technologies

Written By Black Arrow Admin

Executive summary

A critical security flaw, widely known as React2Shell (CVE-2025-55182), has been identified in a very popular web technology used to build modern online services and software platforms. It has a maximum severity rating and allows attackers to run code on affected servers without needing to log in. 

The issue mainly affects organisations that develop and host their own modern web applications using React Server Components and certain versions of Next.js, rather than traditional off the shelf software. However, many SaaS and cloud based services are built on these technologies, so the most realistic risk for many organisations is through their critical third parties and suppliers, rather than their own internal systems. 

The vulnerability is already being actively exploited, has been added to CISA’s Known Exploited Vulnerabilities catalogue, and security researchers report tens of thousands of potentially exposed systems and confirmed breaches at multiple organisations. 

In practical terms, this is another supply chain and SaaS platform risk that boards and senior leaders should be aware of, particularly where critical business processes rely on externally hosted web applications.

What is the risk to me or my business?

For most organisations who do not carry out development activites, the main concerns are:

Trusted third party services

Business critical SaaS platforms such as HR, payroll, finance, CRM, ticketing, collaboration, sector specific tools, may use the affected web technology as part of their platform. If one of these suppliers is compromised, attackers may be able to access or steal your data held in that service, or disrupt availability. 

Customer facing websites and portals built by third parties

Public websites, customer portals and booking or payment systems developed by digital agencies may be using the affected components.

Regulatory and reputational impact:

Exploitation is being linked to capable threat actors and is already being used to steal data at scale. A compromise at a key supplier could still create regulatory reporting, contractual and reputational consequences for your organisation, even if the issue sits in their technology stack.

By contrast, organisations that only use React in the form of older or simple front end websites, or who do not use React based web technologies at all, will likely have limited direct technical exposure. However, almost every organisation consumes multiple SaaS platforms, and those are where the risk is most likely to materialise.

Technical Summary

CVE-2025-55182 (React2Shell): A pre authentication remote code execution vulnerability in React Server Components, caused by unsafe deserialisation of attacker controlled data in the RSC “Flight” protocol. 

Affects versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of:

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack 

CVE-2025-66478 (Next.js): Tracks the downstream impact on Next.js applications using the App Router, which depend on the vulnerable RSC implementation.

This vulnerability has also been rated as a CVSS 10.0 and can lead to RCE when processing crafted requests in unpatched environments. 

Exploitation status

CISA has added CVE-2025-55182 to the KEV catalogue following evidence of active exploitation. Rapid7, Tenable and others note public proof of concept exploits, including a Metasploit module, and rapid adoption by threat actors. Amazon’s security team has observed exploitation attempts by China state linked groups within hours of public disclosure.

Patched versions

React has released fixes in react-server-dom-* versions 19.0.1, 19.1.2 and 19.2.1 

Next.js has released patched versions for affected major branches under CVE-2025-66478, and advises upgrading to the latest available release in the relevant major line. 

What types of software are most likely to be affected?

Based on current public reporting and vendor advisories, the typical affected services are:

Custom built web applications and portals: Customer portals, online account management, booking systems and ecommerce sites built using modern React and Next.js frameworks. 

Modern SaaS and cloud based platforms: Many contemporary SaaS products use these frameworks to build their web dashboards and user interfaces. Where those services have not yet patched, they may be exposed. 

Tech and digital firms that develop software as their core business: These organisations are more likely to have adopted the latest React 19 and Next.js capabilities and will be prioritising patching efforts now.

Traditional enterprise software suites and legacy on premises tools are less likely to be using this particular technology stack. The risk profile therefore looks very similar to other supply chain related events: a serious flaw in widely used underlying technology, with real impact flowing through service providers and suppliers.

What can I do?

As the situation is still evolving and technical guidance is being updated frequently, we recommend leadership teams focus on four practical actions, and refer technical teams to the detailed references below.

  1. Understand where you might be exposed indirectly

    Identify your most critical SaaS and hosted platforms (for example HR and payroll, finance, CRM, key industry platforms).

    Ask suppliers directly whether they have assessed their exposure to React2Shell CVE-2025-55182 and Next.js CVE-2025-66478, and whether they have applied the recommended patches. 

  2. Check any externally hosted websites or portals in your name

    Where third party developers or agencies maintain your customer facing portals or transactional sites, seek written confirmation that they have reviewed their use of React and Next.js and applied relevant updates where required.

  3. Ensure monitoring and incident response are ready

    Ask your internal or external security and IT teams to confirm they are:

    • Tracking authoritative advisories on React2Shell.

    • Monitoring for unusual access patterns or alerts on key SaaS platforms and externally facing web applications. 

  4. Keep an eye on evolving guidance

This is a fast moving issue, with new detection methods and defensive advice being published by major vendors and government agencies. Leaders should ensure their organisations are:

    • Following updates from suppliers and cloud providers.

    • Prepared to act quickly if a critical third party discloses that they have been impacted.

For organisations that do build or host their own web applications, your internal or outsourced development teams should follow the technical instructions in the React and Next.js advisories without delay.

Further details and patches

For technical teams and suppliers, current authoritative sources include:

React: Official security advisory on the critical vulnerability in React Server Components and patched versions: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Next.js: Security advisory for CVE-2025-66478: https://nextjs.org/blog/CVE-2025-66478

CERT EU: technical advisory on CVE-2025-55182 and recommended updates: https://cert.europa.eu/publications/security-advisories/2025-041/pdf

Rapid7: https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/

Tenable: https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

 

Black Arrow Admin
Previous

Black Arrow Cyber Advisory 10 December 2025 - Security Updates from Microsoft, SAP, Adobe, Fortinet, Google Android, Ivanti, React.js
Next

Black Arrow Cyber Threat Intelligence Briefing 05 December 2025