Overview
On December 3, 2025, the frontend framework React disclosed a critical security vulnerability, CVE-2025-55182 (also known as the React2Shell vulnerability; CVE-2025-66478 refers to the same issue), affecting its React Server Components (RSC) functionality. The vulnerability stems from the server's failure to sufficiently validate request data from the client, resulting in an insecure deserialization flaw.
An attacker can trigger arbitrary code execution on the server by sending specially crafted malicious HTTP requests without any prior authentication. Websites utilizing affected versions of React (19.0.0, 19.1.0, and 19.2.0) or associated frameworks (such as Next.js 15/16) are at risk. Exploitation of this vulnerability may allow attackers to gain remote control of the server, leading to severe consequences including data breaches, malware implantation, or service disruption.
The vulnerability CVE-2025-55182 carries a CVSS score of 10.0 (the highest severity level), representing a risk of complete compromise to the web application server.
Vulnerability Risk Details
After obtaining initial access via CVE-2025-55182, attackers can utilize wget and curl commands to download and execute malicious scripts and persistent Linux Trojans. This enables them to establish reverse shell connections for remote server control. In certain cases, attackers have employed "fileless" methods to execute malicious scripts and deploy additional malware such as SNOWLIGHT and VShell, facilitating long-term persistence and further lateral movement.
Affected Scope
CVE-2025-55182 affects the React 19 framework and its ecosystem, including:
● React: Versions 19.0, 19.1, and 19.2.
● Next.js: Versions 15.x and 16.x (App Router), including Canary builds of version 14.3.0 and above.
● Other Related Frameworks: Any framework built on React Server Components, including React Router, Waku, RedwoodSDK, Parcel, and Vite RSC plugins.
Protection via EdgeOne for CVE-2025-55182 and CVE-2025-66478
In response to this React Server Components RCE vulnerability, EdgeOne released dedicated protection rules on December 4, 2025. These rules have been integrated into the Managed Rules. Categorized under "Open Source Component Vulnerabilities," these rules are designed to detect and intercept malicious requests targeting CVE-2025-55182, ensuring that attack traffic is blocked before reaching the origin server.
For users who have enabled automatic protection for "Open Source Component Vulnerabilities," the new rules were automatically deployed and took effect immediately upon release. EdgeOne Managed Rules will intercept these attacks at the edge without requiring manual intervention. Meanwhile, the EdgeOne security team continues to monitor threat intelligence related to this vulnerability to refine and optimize protection strategies for maximum effectiveness.
Note:
For sites with "Evaluation Mode" enabled or where "Open Source Component Vulnerabilities" is set to "Manual Protection," the rules for CVE-2025-55182 will be set to "Observation" mode by default. In this mode, attack requests are logged but not intercepted. Please refer to the recommendations below to update your configuration and enable active protection.
Using EdgeOne Managed Rules for Protection
To safeguard your web services, EdgeOne provides protection strategies against CVE-2025-55182 for all users. Please refer to the following configuration steps to identify and block attack traffic:
● Disable "Evaluation Mode" for Managed Rules.
● Ensure that the "Open Source Component Vulnerabilities" rule group is set to "Automatic Protection" (available for Standard and Enterprise editions).
● If automatic updates are not enabled, switch to manual protection and set Rule IDs 4401216445 and 4401216452 to "Block."
● For users on Free and Personal plans, set the "Free Vulnerability Protection Rule Set" to "Block," or manually set Rule IDs 4401216445 and 4401216452 to "Block."
Recommendation:
If your services are impacted by this vulnerability, it is highly recommended to upgrade your framework to the following secure versions to remediate the underlying risk of CVE-2025-55182:
● React: Upgrade to 19.0.1, 19.1.2, 19.2.1, or higher.
● Next.js: Update to a stable version containing the fix (16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5).
