CVE-2025-55182 (React2Shell): Critical remote code execution vulnerability

What is CVE-2025-55182 (React2Shell)?

CVE-2025-55182 — nicknamed React2Shell — is a critical remote code execution vulnerability in React Server Components (RSC) and related server-side packages. The flaw allows an attacker to send a specially crafted request that triggers unsafe deserialization through the Flight protocol used by RSC. In short: if your server accepts those requests, an attacker may be able to execute code without authentication.

Why this matters for eCommerce stores

• Server compromise risk: arbitrary code execution can lead to data theft, injected malware, ransomware, order manipulation, or full backend takeover.
• No authentication required: exploitation can be performed with a crafted HTTP request against affected endpoints.
• Wide attack surface: many storefronts, dashboards, and admin tools use React, Next.js, or server component features — so the number of potentially affected sites is large.

Which components / versions are affected

Websites built on React Server Components or frameworks that bundle RSC code may be affected. Examples of vulnerable packages (at publication) include certain releases of:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack
• Downstream frameworks and builds that include these packages (for example certain Next.js releases)

Note: even if your app does not use "server functions", support for RSC may still expose attack surface. Inventory and version checks are essential.

Are there fixes?

Yes — patched versions have been released. The definitive fix is to update vulnerable packages and downstream frameworks, then rebuild and redeploy. Temporary firewall/WAF rules can reduce risk while you patch, but they are not a replacement for upgrading.

Immediate action plan — what to do right now

1. Inventory your stack: confirm whether your store uses React, Next.js, or any RSC-capable framework.
2. Check versions: inspect package.json, lockfiles, and any bundled server code for vulnerable versions of react-server-dom-* and related packages.
3. Patch & redeploy: update to the patched packages and fixed framework releases, then rebuild and redeploy your application.
4. Temporary mitigation: if you cannot patch immediately, deploy WAF rules or firewall blocks to restrict suspicious POST/Flight payloads — this is a stop-gap only.
5. Audit and monitor: search server logs for unexpected requests, immediately rotate compromised secrets, and prepare your incident response team in case of indicators of compromise.

Developer-friendly checklist (copy/paste)

# Quick checklist for devs / ops
1. cd /path/to/project
2. grep -R "react-server-dom" package.json package-lock.json yarn.lock || true
3. npm ls react-server-dom-webpack || true
4. Update packages:
   - npm install react@latest react-server-dom-webpack@<patched-version> (or run your project's recommended upgrade)
   - Upgrade Next.js or other framework to the vendor-advised fixed release
5. Rebuild and redeploy (CI/CD): build → test → deploy to staging → smoke test → promote to production
6. Add WAF rule blocking suspicious Flight payloads (temporary)
7. Review server logs (past 7–14 days) for suspicious POSTs at server-function endpoints
8. Rotate deployed secrets and keys if suspicious activity is found

Replace <patched-version> with the exact patched versions published by React / your framework vendor. The WAF step is temporary and should not delay updates.

Why this should be a top priority

Websites that handle customer information, orders, payments, and business logic are top priority — all high-value targets. Because exploitation for CVE-2025-55182 requires no authentication and can yield code execution, the potential for data loss, operational disruption, and reputational damage is high. Treat patching as an operational emergency.

Final thoughts

CVE-2025-55182 is a reminder that modern frameworks offer power but require vigilance.

Vendor Responses

• React
• Palo Alto Networks - Unit 42
• Fortinet - FortiGuard Labs