CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-55182

React2Shell: When Server Components Serve Shells

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·6 min read·41 visits

Executive Summary (TL;DR)

CVSS 10.0 RCE in Next.js and React Server Components. Attackers can leverage the `constructor` property in the React Flight protocol to execute arbitrary code. Active in-the-wild exploitation confirmed.

A catastrophic Remote Code Execution (RCE) vulnerability in React Server Components (RSC) allows unauthenticated attackers to execute arbitrary JavaScript on the server via the React Flight protocol. Dubbed 'React2Shell', this issue stems from insecure deserialization and a build process failure.

Official Patches

ReactOfficial React Advisory
Next.jsNext.js Security Update

Fix Analysis (1)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
47.37%
Top 4% most exploited
50,000
via Shodan

Affected Systems

Next.js (Versions 13.3.0 - 15.0.x)React Server Components (RSC) RuntimesWaku FrameworkParcel RSCVite RSC Plugin

Affected Versions Detail

Product
Affected Versions
Fixed Version
Next.js
Vercel
>= 13.3.0, < 14.2.3514.2.35
Next.js
Vercel
15.0.0 - 15.0.615.0.7
react-server-dom-webpack
Meta
19.0.019.0.1
AttributeDetail
CWE IDCWE-502 (Deserialization of Untrusted Data)
CVSS Score10.0 (Critical)
Attack VectorNetwork (Pre-Auth)
EPSS Score47.37% (High)
KEV StatusListed (Active Exploitation)
PlatformNode.js / React

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1203Exploitation for Client Execution
Execution
CWE-502
Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the execution of arbitrary code.

Known Exploits & Detection

GitHubProof of concept for React2Shell exploitation
AssetnoteScanner to identify vulnerable React Server Component endpoints
NucleiDetection Template Available

Vulnerability Timeline

Vendor releases security advisories and patches
2025-12-03
Exploit PoCs begin appearing on GitHub
2025-12-04
Added to CISA Known Exploited Vulnerabilities (KEV) Catalog
2025-12-05
Active exploitation by China-nexus groups reported
2025-12-06

References & Sources

  • [1]AWS Security Blog: China-Nexus Exploitation
  • [2]CISA KEV Entry
Related Vulnerabilities
CVE-2025-66478

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 12 hours ago•GHSA-XF4V-W5X5-PV79
5.1

GHSA-XF4V-W5X5-PV79: CSV Formula Injection in Spree Customer Export

A CSV Formula Injection vulnerability (CWE-1236) exists in the Spree headless eCommerce platform within the customer export functionality. An unauthenticated attacker can register a customer profile containing malicious formula sequences in fields like the first name or last name. When an administrator exports the customer data to a CSV file and opens it in a spreadsheet application, the spreadsheet engine can interpret and execute these formulas, potentially leading to remote command execution on the administrator's workstation or out-of-band data exfiltration.

Alon Barad
Alon Barad
4 views•6 min read
•about 13 hours ago•CVE-2026-47694
5.4

CVE-2026-47694: Stored Cross-Site Scripting in WWBN AVideo Category Descriptions

A Stored Cross-Site Scripting (XSS) vulnerability exists in WWBN AVideo versions up to and including 29.0. Unsanitized category descriptions are stored in the database and subsequently rendered as raw HTML in the Gallery view plugin, allowing low-privileged authenticated users to execute arbitrary JavaScript in the browsers of visiting users.

Alon Barad
Alon Barad
6 views•7 min read
•about 13 hours ago•GHSA-JPVJ-WPMJ-H7RV
9.6

GHSA-JPVJ-WPMJ-H7RV: Supply Chain Compromise and Malicious Code Injection in @cap-js/openapi

A critical supply chain compromise was identified in the Node.js package @cap-js/openapi at version 1.4.1. An attacker gained unauthorized publishing access to the npm registry and distributed a backdoored release that harvests sensitive developer credentials, environment variables, and SSH keys. The malicious code then exfiltrates the collected data to external actor-controlled servers.

Amit Schendel
Amit Schendel
12 views•5 min read
•about 14 hours ago•CVE-2026-47696
7.1

CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin

An authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 14 hours ago•GHSA-8WHC-2WMV-WW35
8.8

GHSA-8whc-2wmv-ww35: Unauthenticated Stored DOM-based Cross-Site Scripting in WWBN AVideo YPTSocket Plugin

An unauthenticated stored DOM-based Cross-Site Scripting (DOM XSS) vulnerability in the YPTSocket plugin of WWBN AVideo (formerly YouPHPTube) allows remote attackers to execute arbitrary JavaScript within the session context of administrative users. Unsanitized metadata parameters supplied during the WebSocket handshake are persisted in an SQLite database and broadcast to connected users. The frontend application processes these parameters through an unsafe jQuery append sink, leading to silent, high-impact administrative context compromise.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 15 hours ago•CVE-2026-47676
5.3

CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting

A path parsing and normalization inconsistency vulnerability exists in the Hono web framework prior to version 4.12.21. When hosting sub-applications via the app.mount() routing interface, Hono calculates the routing path prefix length on a percent-decoded representation of the URI but executes the path-slicing offset on the raw, percent-encoded string. This discrepancy results in malformed request paths being dispatched to mounted sub-applications, potentially leading to route bypasses, route confusion, and application-level Denial of Service.

Alon Barad
Alon Barad
4 views•6 min read