Access Control: React2Shell CVE-2025-55182 - Javascript RCE¶
Identifier:
react2shell_2
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
React Server Components 19.0.0-19.2.0 contain a remote code execution vulnerability caused by unsafe deserialization of payloads from HTTP requests to Server Function endpoints, allowing unauthenticated attackers to execute arbitrary JavaScript code.
How we test: We test for unsafe deserialization vulnerabilities in React Server Components by sending malicious payloads to Server Function endpoints and analyzing responses to detect if arbitrary JavaScript code can be executed.
Reference:
- https://github.com/assetnote/react2shell-scanner
- https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
- https://www.facebook.com/security/advisories/cve-2025-55182
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- https://vercel.com/changelog/cve-2025-55182
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.