A maximum-severity vulnerability, dubbed React2Shell, has been discovered impacting the popular React.js JavaScript library. The flaw, tracked as CVE-2025-55182, received a CVSS score of 10.0, indicating its critical nature. The vulnerability was found by researchers at the cybersecurity firm Assetnote and affects the react-server-dom-webpack npm package.

This critical security issue allows for unauthenticated Remote Code Execution (RCE) on servers utilizing the affected package. Developers using React Server Components (RSC) in conjunction with the webpack bundler are directly impacted.

Vulnerability Details and Impact

The React2Shell vulnerability is a prototype pollution flaw. This type of vulnerability allows an attacker to manipulate the server-side module resolution mechanism. By exploiting this, a threat actor can achieve arbitrary module loading on the server, which directly leads to Remote Code Execution. Assetnote researchers publicly disclosed their findings on May 2, detailing the technical specifics of the exploit.

Patch and Remediation Guidance

In response to the disclosure, Meta, the maintainer of React, has issued a patch to address the vulnerability. All versions of the react-server-dom-webpack package prior to version 19.0.0-canary-0289294f3-20240425 are considered vulnerable. Developers and organizations using the affected React.js components are strongly urged to update to the latest patched version immediately to mitigate the risk of exploitation.

Source: https://www.infosecurity-magazine.com/news/reactjs-hit-by-react2shell/