Access Control: React2Shell CVE-2025-55182 - Javascript RCE¶

Identifier: react2shell_2

Scanner(s) Support¶

Description¶

React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack contain a remote code execution caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, letting unauthenticated attackers execute arbitrary code remotely, exploit requires no authentication. If this issue is raised, it means that we were able to execute arbitrary javascript code.

Reference:

• https://github.com/assetnote/react2shell-scanner
• https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
• https://www.facebook.com/security/advisories/cve-2025-55182
• http://www.openwall.com/lists/oss-security/2025/12/03/4
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
• https://vercel.com/changelog/cve-2025-55182

Configuration¶

Example¶

Example configuration:

---
security_tests:
  react2shell_2:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.