React2Shell: In-the-Wild Exploitation Expected for Critical React Vulnerability

Justin Moore, senior manager of threat intel research at Palo Alto Networks’ Unit 42, described the vulnerability as a “master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures”.

even if their application does not implement any React Server Function endpoints, it could still be vulnerable if React Server Components (RSC) are supported.

However, less than 24 hours after disclosure, at least one proof-of-concept (PoC) exploit has been developed and the vulnerability has been added to scanners.

an advisory published on Wednesday, React developers informed users about the availability of patches for CVE-2025-55182, an unauthenticated remote code execution vulnerability that has been assigned a CVSS score of 10.