Detections
Analytics

React Server Components 19.0 / 19.1.0 / 19.1.1 / 19.2.0 Remote Code Execution (React2Shell)

critical Nessus Plugin ID 277585

Language:

Synopsis

The remote web server is affected by a remote code execution vulnerability.

Description

The remote host is affected by a remote code execution vulnerability:

 - A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.(CVE-2025-55182)

Solution

Upgrade to a fixed version of the affected package.

See Also

http://www.nessus.org/u?24e288bb

http://www.nessus.org/u?a05fbd14

http://www.nessus.org/u?c46ffecc

Plugin Details

Severity: Critical

ID: 277585

File Name: react_CVE-2025-55182.nbin

Version: 1.4

Type: remote

Family: CGI abuses

Published: 12/5/2025

Updated: 12/19/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 10.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-55182

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:facebook:react, cpe:/a:vercel:next.js

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 12/2/2025

Vulnerability Publication Date: 12/2/2025

CISA Known Exploited Vulnerability Due Dates: 12/12/2025

Exploitable With

Metasploit (Unauthenticated RCE in React and Next.js)

Reference Information

CVE: CVE-2025-55182

IAVA: 2025-A-0928