Critical Vulnerability React2Shell (CVE-2025-55182) Allows Unauthenticated Remote Code Execution

The vulnerability CVE-2025-55182, known as React2Shell, allows unauthenticated remote code execution via the deserialization mechanism of the Flight protocol in React server components. This critical flaw was published on December 3, 2025. Exploitation of this vulnerability enables attackers to execute arbitrary code on the server, leading to risks such as secret exfiltration, installation of malicious software, and supply chain compromise. The vulnerability lies in the deserialization of client-provided data without adequate validation, allowing access to function constructors and the execution of malicious code. To protect against this, it is recommended to update React and Next.js to the patched versions.