RedShield’s Service Proactively Protects from Critical React Server Components Vulnerability (“React2Shell” - CVE-2025-55182)

RedShield has proactively deployed protection from the Critical React Server Components vulnerability “React2Shell” (CVE-2025-55182) for its customers.

Given the criticality of this vulnerability, RedShield conducted an emergency deployment of new attack signatures as baseline new signatures for all customer applications.  The new signatures were first placed in transparent (non-blocking) mode for monitoring, and RedShield subsequently determined that it was safe to put them into blocking mode.

RedShield’s application of the attack signatures in blocking mode mitigates this issue for customers of its application security service.  However, attack signatures are compensating controls and it is still important that customer teams identify impacted applications and apply vendor patches (see information below, including a link to React’s page with more details).   

RedShield will continue to monitor this vulnerability and advise customers of any changes.

Please contact support@redshield.co or www.redshield.co/contact if you have any additional questions on this vulnerability, or RedShield’s protection.

Background

On December 3rd UTC, security researchers disclosed a critical remote code execution (RCE) vulnerability in React Server Components (RSC), affecting React 19 RSC packages and several frameworks including Next.js 15-16 (and 14.3.0-canary.77 and later canary releases), and others that bundle these modules. 

The issue is rated CVSS 10.0 (Critical) and allows an unauthenticated attacker on the internet to execute arbitrary code on affected servers without any user interaction, potentially leading to full server compromise, data theft, and lateral movement inside a network.

RedShield is now seeing significant attack traffic targeting this vulnerability.

Note on identifying applications impacted by this vulnerability

React has advised that if your application’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

Please check internally with your development teams to confirm whether React Server Components (RSC) or specific Node modules are being used. 

For your development and security teams:

• Check whether your applications use any of the following, and if so, which versions:
  
  
  • - react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0), or
    
    
  • - Next.js App Router / Server Actions in affected releases (Next.js 15.x, Next.js 16.x, and Next.js 14.3.0-canary.77 and later canary releases), or other RSC-capable frameworks.
  Prioritise upgrading to the vendor’s patched versions.  React’s page about CVE-2025-55182 is https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• Review exposed HTTP endpoints that handle RSC / Server Actions traffic and monitor for unusual POST requests.