Open in the wild flaw
The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog after exploitation in the wild.
The flaw CVE-2025-55182 (CVSS score: 10.0) or React2Shell hints towards a remote code execution (RCE) that can be triggered by an illicit threat actor without needing any setup.
Remote code execution
According to the CISA advisory, “Meta React Server Components contains a remote coThe incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groupsde execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.”
The problem comes from unsafe deserialization in the library’s Flight protocol, which React uses to communicate between a client and server. It results in a case where an unauthorised, remote hacker can deploy arbitrary commands on the server by sending specially tailored HTTP requests. The conversion of text into objects is considered a dangerous class of software vulnerability.
About the flaw
“The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization,” said Martin Zugec, technical solutions director at Bitdefender.
The incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groups such as Jackpot Panda and Earth Lamia. “W
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: