React2Shell: FAQ about React Server Components Vulnerability (CVE-2025-55182)
On December 3, the React Team published a blog post regarding a critical, maximum severity (CVSS 10) vulnerability affecting React Server Components. CVE Description CVSSv3 CVE-2025-55182 React Server Components Remote Code Execution Vulnerability 10.0 The flaw, which is an unsafe deserialization vulnerability, has been named “React2Shell” by researchers, a nod to the Log4Shell vulnerability. Additionally, the Next.js team published its own security advisory for CVE-2025-66478, a separate CVE to track the impact of CVE-2025-55182. However, the National Vulnerability Database (NVD) rejected it as a duplicate. For more information about React2Shell, including the availability of patches and Tenable product coverage, please visit our blog.
