React2Shell CVE-2025-55182: How a Critical Vulnerability Got a Perfect CVSS Score
A deep technical analysis of CVE-2025-55182, dubbed "React2Shell" - the first CVSS 10.0 vulnerability in React's history. How it works, why it's dangerous, and how to protect your applications.
Critical Security Advisory
- CVE: CVE-2025-55182
- CVSS Score: 10.0 (Critical) - Maximum severity
- Affected: React 18.0.0 - 19.2.3 with Server Components
- Attack Vector: Remote Code Execution (RCE)
- Exploitation Status: Active exploitation in the wild
- Patch: React 19.2.4 (released December 3, 2025)
Immediate Actions Required
npm update react react-dom# Verify version is 19.2.4 or highernpm list react
If you cannot update immediately, disable React Server Components or implement the WAF rules described below.
Technical Analysis
What is React2Shell?
React2Shell exploits a prototype pollution vulnerability in React Server Components' serialization layer. When a malicious payload is passed through specific component props, it can escape the serialization sandbox and execute arbitrary code on the server.
Vulnerability Mechanics
- Entry Point: Attacker crafts a malicious object with __proto__ or constructor properties
- Serialization Bypass: The payload exploits insufficient sanitization in React's flight protocol
- Prototype Pollution: Server-side Object.prototype gets polluted with attacker-controlled values
- Code Execution: Polluted prototypes trigger code execution during subsequent operations
Proof of Concept (Sanitized)
// WARNING: For educational purposes only
// This payload has been sanitized
const maliciousProps = {
__proto__: {
// Pollutes Object.prototype
polluted: true
},
constructor: {
prototype: {
// Triggers during JSON operations
toJSON: () => {
// RCE payload would execute here
return "pwned";
}
}
}
};
// When passed to a Server Component:
// <VulnerableComponent data={maliciousProps} />
// Server executes attacker codeWhy CVSS 10.0?
The maximum CVSS score reflects the severity across all metrics:
Attack Vector: Network
Exploitable remotely without authentication
Complexity: Low
No special conditions or race conditions required
Privileges: None
Unauthenticated attackers can exploit
Impact: Complete
Full server compromise possible
Affected Systems
| Framework | Affected Versions | Patched Version |
|---|---|---|
| React | 18.0.0 - 19.2.3 | 19.2.4 |
| Next.js | 13.0.0 - 15.0.3 | 15.0.4 |
| Remix | 2.0.0 - 2.14.2 | 2.14.3 |
| Gatsby | Not affected* | N/A |
*Gatsby uses client-side rendering only and is not affected by this RSC vulnerability.
Detection & Monitoring
Signs of Exploitation
- Unusual server process spawning (check for shell/cmd processes)
- Outbound connections to unknown IPs from your server
- Requests with malformed JSON containing "__proto__" or "constructor"
- Server-side errors mentioning prototype or constructor issues
- Unexpected file modifications in application directories
WAF Detection Rules (Cloudflare/AWS WAF)
# Block requests containing prototype pollution patterns
SecRule REQUEST_BODY "@rx (__proto__|constructor\.prototype)" \
"id:100001,phase:2,deny,status:403,\
msg:'React2Shell CVE-2025-55182 Attempt'"
# Block in query strings
SecRule ARGS "@rx (__proto__|constructor\.prototype)" \
"id:100002,phase:2,deny,status:403,\
msg:'React2Shell Query Parameter Attack'"Disclosure Timeline
Key Takeaways
- Patch immediately: Update to React 19.2.4 or disable Server Components
- Check for compromise: Review logs for prototype pollution patterns
- Deploy WAF rules: Block known attack patterns as defense in depth
- Monitor for updates: Follow React security advisories
Dillip Chowdary
Tech Entrepreneur & Innovator