Access Control: React2Shell CVE-2025-55182 - Shell RCE¶

Identifier: react2shell_1

Scanner(s) Support¶

Description¶

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting unauthenticated attackers execute arbitrary code remotely, exploit requires no authentication. If this issue is raised, it means that we were able to execute shell commands, which is the worst case scenario.

Reference:

• https://github.com/assetnote/react2shell-scanner
• https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
• https://www.facebook.com/security/advisories/cve-2025-55182
• http://www.openwall.com/lists/oss-security/2025/12/03/4
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
• https://vercel.com/changelog/cve-2025-55182

Configuration¶

Example¶

Example configuration:

---
security_tests:
  react2shell_1:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.