CDNetworks WAF Proactively Protects against Critical React Vulnerability CVE-2025-55182

Executive Summary

On December 3, 2025 (EST), a critical security vulnerability (CVE-2025-55182, CVE-2025-66478), identified as React2Shell, was discovered in React Server Components (RSC), rated with a CVSS score of 10.0, the highest severity level.

In response, CDNetworks immediately deployed a new protection rule (rule No.9625: React_Server_Components_rce) on our Web Application Firewall (WAF) to guard against this vulnerability.

If you’re using React Server Components, we strongly recommend taking action right away:

1. Upgrade to a secure version of React as outlined in the official React blog.
2. If an upgrade is not feasible in the short term, implement a Web Application Firewall (WAF) to block exploit attempts based on known attack signatures.

Vulnerability Overview

This vulnerability is caused by a flaw in the deserialization logic of the Flight protocol within React Server Components. The issue occurs because the server doesn’t fully validate the structure or content of serialized data sent from the client. As a result, attackers can craft malicious requests that, when processed by the server, can execute harmful commands. This bypasses security restrictions and allows for remote code execution (RCE).

The exploit itself is simple and doesn’t require authentication or user interaction. Any attacker with the ability to send an HTTP request to a vulnerable application can exploit the issue. Furthermore, because React Server Components (RSC) are vulnerable by default, the attack surface is significantly expanded, making it easier for malicious actors to exploit.

Affected versions of React Server Components include:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack (versions 19.0.0 to 19.2.0)

Who’s Affected?

React is one of the most widely used frontend development frameworks globally, and this vulnerability impacts a variety of environments, including:

• Next.js versions 15.x and 16.x with App Router
• Next.js version 14.3.0-canary.77 and higher
• Other frameworks that integrate RSC features, such as Waku, RedwoodJS, and Vite RSC Plugin

Note: Applications that only use client-side rendering or Next.js with Pages Router are not impacted.

Why This Is So Dangerous

Due to the default configuration of React Server Components, many applications are vulnerable without needing any additional setup from attackers. As such, this issue significantly broadens the attack surface.

With Proof of Concept (PoC) code already publicly available, the window of exposure is rapidly widening, and organizations using RSC must act immediately to protect their systems.

Even though our WAF has already published a virtual patch to mitigate this vulnerability, we still strongly recommend that customers update to the latest version of React as soon as possible, with a focus on any publicly accessible applications.

For further guidance or assistance, please contact our support team.

The CDNetworks Intelligence Team will continue to monitor the situation and provide updates as necessary. Stay updated by following us on social media for the latest news and updates.