CISA Adds Critical React Server Components Vulnerability to KEV Catalog Amid Active Attacks

Published: 08 Dec 2025

Author: Precedence Research

Share :

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have formally added a severe security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog, following confirmation that attackers are actively exploiting the issue in real-world environments.

The vulnerability, identified as CVE-2025-55182 and carrying a CVSS score of 10.0, is considered a critical remote code execution weakness. It is also known as React2Shell. The flaw allows a completely unauthenticated attacker to execute arbitrary code on a target server without any special configuration or privileges. This places vulnerable systems at significant risk, particularly in production environments where RSC is used to power dynamic server rendered content.

CISA stated in its advisory that the problem is rooted in the way React decodes payloads sent to React Server Function endpoints. When processing these payloads, React performs deserialization operations that are not adequately secured. This gives attackers an opportunity to craft malicious HTTP requests that are interpreted as legitimate objects, which can then be leveraged to run commands remotely on the server.

Security experts warn that insecure deserialization has long been recognized as one of the most dangerous software vulnerability classes. Martin Zugec, technical solutions director at Bitdefender, explained that the React2Shell flaw is located in the react-server package, specifically in the logic responsible for parsing object references during the deserialization process. According to Zugec, this presents a high-impact attack surface because the Flight protocol within RSC handles data exchanges between the server and client by reconstructing objects from text-based payloads.

The issue has been patched in updated versions of several React Server Component libraries. The security fix is included in versions 19.0.1, 19.1.2, and 19.2.1 of the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Since many modern JavaScript frameworks build on top of React and rely on these server component libraries, the impact extends beyond React itself. Downstream frameworks such as Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK are also affected. Projects that use these frameworks are strongly encouraged to immediately apply the patched versions.

By adding the flaw to the KEV catalog, CISA has made remediation mandatory for U.S. federal civilian agencies. This requirement underscores not only the severity of the vulnerability but also the urgency of deploying the patch, especially as active exploitation continues to rise.

Organizations using React Server Components or frameworks that depend on them are advised to perform immediate assessments, review dependency versions, and apply security updates as quickly as possible to prevent compromise.