Detections
Analytics

React Server Components 19.0 / 19.1.0 / 19.1.1 / 19.2.0 Remote Code Execution (React2Shell)

critical Nessus Plugin ID 277585

Synopsis

The remote web server is affected by a remote code execution vulnerability.

Description

The remote host is affected by a remote code execution vulnerability:

 - A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.(CVE-2025-55182)

Solution

Upgrade to a fixed version of the affected package.

See Also

http://www.nessus.org/u?24e288bb

http://www.nessus.org/u?a05fbd14

http://www.nessus.org/u?c46ffecc

Plugin Details

Severity: Critical

ID: 277585

File Name: react_CVE-2025-55182.nbin

Version: 1.1

Type: remote

Family: CGI abuses

Published: 12/5/2025

Updated: 12/5/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-55182

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:vercel:next.js, cpe:/a:facebook:react

Exploited by Nessus: true

Patch Publication Date: 12/2/2025

Vulnerability Publication Date: 12/2/2025

Reference Information

CVE: CVE-2025-55182