Critical React2Shell RCE Vulnerability Disclosed by Meta

Critical React2Shell RCE Vulnerability Disclosed by Meta

First seen 9 May 2026, 00:36 UTC News.Ycombinatorsylvie.fyi 72% similarity 72.0

Article Content

Browse articles
ThreatCluster

On December 3, 2025, Meta disclosed CVE-2025-55182, a critical remote code execution vulnerability dubbed React2Shell, affecting React Server Components. The flaw arises from improper type validation in the Flight protocol, allowing attackers to construct arbitrary code execution paths. This vulnerability potentially impacts millions of websites using React. The initial discovery was made by Lachlan Davidson on November 30, 2025, while he was investigating the Flight protocol. Meta released a fix shortly after the disclosure, urging developers to update immediately. The first public proof of concept (PoC) was shared on December 19, 2025, indicating the vulnerability's exploitability. Security professionals are advised to prioritize patching affected systems to mitigate risks.

Key Points: • CVE-2025-55182 is a critical RCE vulnerability in React Server Components. • The vulnerability affects millions of websites and was disclosed by Meta on December 3, 2025. • Developers are urged to apply patches immediately to prevent exploitation.

ThreatCluster AI

Timeline

2025-11-30
Critical vulnerability reported to Meta
Lachlan Davidson reported the React2Shell vulnerability to Meta, initiating the disclosure process.
News.Ycombinator
2025-12-03
CVE-2025-55182 published
Meta disclosed the React2Shell vulnerability, detailing its impact and urging updates.
sylvie.fyi
2025-12-05
CVE added to CISA KEV
CISA added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog due to active exploitation.
Date unknown
2025-12-19
First public PoC released
The first public proof of concept demonstrating the exploitability of React2Shell was shared.
Date unknown

Community

Browse all →