PCTFs General

React2Shell: Critical RCE Vulnerability Shaking the React Ecosystem

parrotassassin15 December 5, 2025 1 min read 33 views

A critical vulnerability dubbed "React2Shell" has just dropped, and if you're running anything with React Server Components, you need to patch immediately. This is being compared to Log4Shell for good reason—it's a CVSS 10.0, unauthenticated RCE that affects default configurations.

What Is React2Shell?

React2Shell (CVE-2025-55182) is an unsafe deserialization vulnerability in React Server Components. An unauthenticated, remote attacker can exploit this by sending a specially crafted payload to a vulnerable React Server Function endpoint, resulting in remote code execution on the server. Tenable

Written by

parrotassassin15

Cybersecurity professional and contributor at Lorikeet Security.

Share this article
Back to Blog

Related Articles

Jan 12, 2026

You Can't Protect What You Don't Know Exists: Complete Cybersecurity Solutions from Lorikeet Security

Continuous security monitoring for organizations that can't afford blind spots. Last month, a client...
Jan 12, 2026

You Can't Protect What You Don't Know Exists: Introducing Lorikeet ASM

Last month, a client came to us after a breach. The attacker's entry point? A staging server on a su...
Dec 6, 2025

Intellexa’s Predator Spyware: Zero‑Day Exploits and the Real Risk to Users

A new Intellexa leak exposes the Predator tool’s use of multiple zero‑day flaws across Android, Chro...
Lory waving

Hi, I'm Lory! Need help finding the right service? Click to chat!