A critical remote code execution vulnerability in React.js has been identified.
React.js is a JavaScript library for building fast, interactive user interfaces (UIs) using reusable components.
The security researcher Lachlan Davidson disclosed the vulnerability on 29 November 29, 2025, to the Meta team.
Officially tracked as CVE-2025-55182, the flaw has been dubbed React2Shell, a not-so-subtle nod the Log4Shell vulnerability which was discovered in 2021. It affects the server-side use of React.js and has been attributed the maximum severity rating (CVSS) of 10.0.
Separately, the Next.js team published a security advisory and reported their own CVE, CVE-2025-66478, on December 3. However, the US National Vulnerability Database (NVD) rejected this CVE as a duplicate of CVE-2025-55182.
React and Next.js are JavaScript frameworks that are used in many modern web applications, their widespread use is cause for concern.
Successful exploitation of React2Shell could provide an attacker with the ability to run arbitrary code and assume control of the victim server. This could lead to broad compromise of sensitive data.
“The ubiquity of React and Next.js, along with their ease of exploitation, makes these bugs significant. Exploitation is incredibly simple and can be achieved without authentication”, commented Ari Eitan, director of cloud security research at Tenable.
“A single malicious HTTP request can trigger remote code execution on the server side, which makes the issue ex
Source: https://www.infosecurity-magazine.com/news/reactjs-hit-by-react2shell/
Meta cybersecurity rating report: https://www.rankiteo.com/company/meta
"id": "MET1764958087",
"linkid": "meta",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Widespread (modern '
'web applications '
'using React.js)',
'industry': 'Software Development',
'location': None,
'name': 'Meta (React.js)',
'size': None,
'type': 'Technology Company'},
{'customers_affected': 'Widespread (modern '
'web applications '
'using Next.js)',
'industry': 'Software Development',
'location': None,
'name': 'Next.js',
'size': None,
'type': 'JavaScript Framework'}],
'attack_vector': 'Malicious HTTP request',
'data_breach': {'data_encryption': None,
'data_exfiltration': None,
'file_types_exposed': None,
'number_of_records_exposed': None,
'personally_identifiable_information': None,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2025-11-29',
'date_publicly_disclosed': '2025-11-29',
'description': 'A critical remote code execution vulnerability '
'in React.js, dubbed React2Shell, has been '
'identified. The flaw affects server-side use of '
'React.js and allows attackers to run arbitrary '
'code and assume control of the victim server. '
'The vulnerability is tracked as CVE-2025-55182 '
'and has a CVSS severity rating of 10.0. A '
'related CVE (CVE-2025-66478) for Next.js was '
'rejected as a duplicate. Exploitation is simple '
'and can be achieved without authentication via a '
'single malicious HTTP request.',
'impact': {'brand_reputation_impact': None,
'conversion_rate_impact': None,
'customer_complaints': None,
'data_compromised': 'Sensitive data',
'downtime': None,
'financial_loss': None,
'identity_theft_risk': None,
'legal_liabilities': None,
'operational_impact': 'Server compromise, arbitrary '
'code execution',
'payment_information_risk': None,
'revenue_loss': None,
'systems_affected': 'Servers using React.js and '
'Next.js'},
'initial_access_broker': {'backdoors_established': None,
'data_sold_on_dark_web': None,
'entry_point': None,
'high_value_targets': None,
'reconnaissance_period': None},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': None,
'root_causes': 'Critical remote code '
'execution '
'vulnerability in '
'React.js server-side '
'usage'},
'ransomware': {'data_encryption': None,
'data_exfiltration': None,
'ransom_demanded': None,
'ransom_paid': None,
'ransomware_strain': None},
'references': [{'date_accessed': None,
'source': 'Lachlan Davidson (Security '
'Researcher)',
'url': None},
{'date_accessed': None,
'source': 'Meta Security Advisory '
'(CVE-2025-55182)',
'url': None},
{'date_accessed': None,
'source': 'Next.js Security Advisory '
'(CVE-2025-66478)',
'url': None},
{'date_accessed': None,
'source': 'Tenable (Ari Eitan, Director of Cloud '
'Security Research)',
'url': None},
{'date_accessed': None,
'source': 'US National Vulnerability Database '
'(NVD)',
'url': None}],
'regulatory_compliance': {'fines_imposed': None,
'legal_actions': None,
'regulations_violated': None,
'regulatory_notifications': None},
'response': {'adaptive_behavioral_waf': None,
'communication_strategy': 'Security advisories '
'published by React.js '
'and Next.js teams',
'containment_measures': None,
'enhanced_monitoring': None,
'incident_response_plan_activated': None,
'law_enforcement_notified': None,
'network_segmentation': None,
'on_demand_scrubbing_services': None,
'recovery_measures': None,
'remediation_measures': None,
'third_party_assistance': None},
'title': 'React2Shell: Critical Remote Code Execution '
'Vulnerability in React.js',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-55182 (React2Shell)'}