TL;DR: A critical Remote Code Execution (RCE) vulnerability tracked as CVE-2025-55182 (nicknamed React2Shell) was disclosed in early December 2025 and affects React Server Components and several react-server-dom packages. It has a CVSS score of 10.0, is patchable (patches released for affected packages), and there are reports of active exploitation in the wild. If you run Server Components (RSC / Flight) in your stack, patch immediately, audit for compromise, and follow the mitigation checklist below.

What was the vulnerability?

• What: CVE-2025-55182 — an unauthenticated pre-auth remote code execution (RCE) in React Server Components’ Flight/“server DOM” handling. Under certain request patterns an attacker can cause server-side code execution.
• When disclosed: Early December 2025 (React security advisory published Dec 3, 2025). React
• Severity: CVSS 10.0 (maximum) — meaning immediate action is required for vulnerable systems.

Who/what is affected

• Affected packages (examples called out by the React team): react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack in specific 19.x releases (React 19 Server Component artifacts). If your application supports Server Components or includes the Flight protocol handler, you may be exposed even if you’re not intentionally using server functions.
• The vulnerability increases risk for environments where React Server Components are enabled, including many Next.js, Vite, Parcel, or custom server stacks that integrate RSC/Flight transport. Rapid7 and other responders warn of widespread risk and active exploitation.

Active exploitation & follow-on findings

Multiple security teams and incident responders reported in-the-wild exploitation shortly after disclosure; some threat actors are actively scanning and attempting RCEs against exposed Flight endpoints. In follow-ups, researchers also identified additional, lower-severity issues (DoS, potential source-code exposure) discovered while testing patches — patching remains the primary mitigation.

Immediate action — emergency checklist (apply now)

1. Patch affected packages to the patched releases from the React team immediately (React released patched versions such as 19.0.1, 19.1.2, 19.2.1 for the server-dom packages — upgrade the specific react-server-dom-* packages in your projects). Example commands (adjust package name/version to your stack):

# example — pick the server-dom package(s) your project uses npm install [email protected] # or for yarn: yarn add [email protected] # verify installed versions npm ls react-server-dom-webpack

(Replace react-server-dom-webpack with react-server-dom-parcel or react-server-dom-turbopack as relevant.) React Reference 

1. If you can’t patch immediately: temporarily disable or block public access to Flight / RSC endpoints (for example, restrict access via firewall/WAF or remove the route handler) until you can apply the patch. Treat any exposed Flight endpoints as high-risk.
2. Apply WAF / network rules to block malformed Flight requests and known exploit signatures (many vendors published rules within hours of disclosure). Use your cloud provider’s managed WAF rules if available. TechRadar
3. Audit & hunt for compromise: look for suspicious activity around the disclosure date and afterwards:
   • Unexpected process spawning, new files, or reverse shells on servers running RSC.
   • Unusual outbound connections (e.g., to IPs/domains you don’t recognize).
   • Web server logs showing abnormal HTTP requests to Flight endpoints (highly crafted POSTs, odd content lengths, serialized payloads).
   • Newly created service accounts/keys or changed credentials. Rapid7+1
4. Contain & remediate if you detect compromise: isolate affected hosts, rotate credentials, preserve logs for forensics, rebuild from known-good images, and notify stakeholders. Consider engaging incident response if you find signs of RCE.

Longer-term hardening (lessons & best practices)

• Minimize attack surface: only enable Server Components/Flight if your app absolutely needs them. Default to client rendering or server-side rendering where RSC is unnecessary.
• Keep runtime and dependencies evergreen: automate dependency updates and use dependency-monitoring tools (Snyk, Dependabot, etc.) to pick up critical CVEs. Many attacks chain through dependency issues (e.g., sanitizers, prototype-pollution libs).
• Implement robust runtime least privilege: run app processes with limited permissions, avoid running arbitrary interpreters bundled in app containers, and restrict outbound connections to required destinations.
• Logging & detection: enrich logs around server rendering endpoints and set alarms for anomalous request patterns.
• Incident playbooks: ensure teams know how to isolate, patch, and rebuild quickly.

How Om Softwares Cloud Services can help you?

At Om Softwares — Cloud Services, we acknowledge how serious these React Server Component issues are. We recommend you report the problems to your RMS as soon as possible so your operations teams and risk managers can prioritize remediation. Our cloud & maintenance teams are actively:

• scanning managed customer environments for vulnerable react-server-dom-* packages,
• applying vendor-recommended patches where we have patching authority, and
• adding WAF signatures and temporary access controls to block known exploit patterns.

If you already have Om Softwares maintenance services, don’t worry — our team is proactively triaging and patching customer systems and will contact you directly with findings and next steps. If you are not on maintenance and would like assistance, contact our support so we can help you patch, audit, or perform incident response. (Report to your RMS and notify Om Softwares support immediately so we can take coordinated action.)