Back

Critical React2Shell RCE Vulnerability Disclosed by Meta

Severity: High (Score: 72.0)

Sources: News.Ycombinator, sylvie.fyi

Summary

On December 3, 2025, Meta disclosed CVE-2025-55182, a critical remote code execution vulnerability dubbed React2Shell, affecting React Server Components. The flaw arises from improper type validation in the Flight protocol, allowing attackers to construct arbitrary code execution paths. This vulnerability potentially impacts millions of websites using React. The initial discovery was made by Lachlan Davidson on November 30, 2025, while he was investigating the Flight protocol. Meta released a fix shortly after the disclosure, urging developers to update immediately. The first public proof of concept (PoC) was shared on December 19, 2025, indicating the vulnerability's exploitability. Security professionals are advised to prioritize patching affected systems to mitigate risks. Key Points: • CVE-2025-55182 is a critical RCE vulnerability in React Server Components. • The vulnerability affects millions of websites and was disclosed by Meta on December 3, 2025. • Developers are urged to apply patches immediately to prevent exploitation.

Key Entities

  • Zero-day Exploit (attack_type)
  • Meta (company)
  • CVE-2025-55182 (cve)
  • CWE-94 - Code Injection (cwe)
  • T1059.007 - JavaScript (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Go (mitre_attack)
  • Flight (platform)
  • MariaDB (platform)
  • NextJS (platform)
  • React (platform)
  • React2Shell (malware)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed