React2Shell: FAQ about React Server Components Vulnerability (CVE-2025-55182)

On December 3, the React Team published a blog post regarding a critical, maximum severity (CVSS 10) vulnerability affecting React Server Components.

CVE	Description	CVSSv3
CVE-2025-55182	React Server Components Remote Code Execution Vulnerability	10.0

The flaw, which is an unsafe deserialization vulnerability, has been named “React2Shell” by researchers, a nod to the Log4Shell vulnerability.

Additionally, the Next.js team published its own security advisory for CVE-2025-66478, a separate CVE to track the impact of CVE-2025-55182. However, the National Vulnerability Database (NVD) rejected it as a duplicate.

For more information about React2Shell, including the availability of patches and Tenable product coverage, please visit our blog.

React

REACT2SHELL

Vulnerability watch

Vulnerability Watch

Forum Discussion

React2Shell: FAQ about React Server Components Vulnerability (CVE-2025-55182)

Recent Discussions

CVE-2026-20127: Cisco Catalyst SD-WAN Controller/Manager Zero-Day Exploited in the Wild

Microsoft’s February 2026 Patch Tuesday Addresses 54 CVEs (CVE-2026-21510, CVE-2026-21513)

Frequently Asked Questions About Notepad++ Supply Chain Compromise

Ivanti Endpoint Manager Mobile Zero-Days Exploited (CVE-2026-1281, CVE-2026-1340)

Oracle January 2026 Critical Patch Update Addresses 158 CVEs

Americas

Europe

Asia / Australia