This repository contains a critical remote code execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) affecting React Server Components. The vulnerability was disclosed on December 3, 2025, and is actively being exploited in the wild.
Vulnerability Details
CVE ID: CVE-2025-55182 (also known as React2Shell)
Severity: Critical (CVSS 10.0)
Type: Unauthenticated Remote Code Execution
Disclosure Date: December 3, 2025
Exploitation Status: Active exploitation confirmed since December 5, 2025
Affected Components
Based on Trivy scan results and code review, this repository uses vulnerable versions from:
package.json sourced from livekit-examples/agent-starter-embed
Affected packages:
React Server Components (versions 19.0.0, 19.1.0-19.1.1, 19.2.0)
Next.js 15.x, 16.x (versions prior to patched releases)
Next.js 14.3.0-canary.77 and later canary releases with App Router
Impact
This vulnerability allows attackers to:
Execute arbitrary code on the server through a single malicious HTTP request
Exploit default configurations without any code changes by developers
Gain unauthorized remote code execution (RCE) on affected application servers
Confirmed Attack: Our production environment was compromised on December 4, 2025 (one day after disclosure), which correlates with the timeline of widespread exploitation reported by security researchers.
Evidence
Trivy vulnerability scan confirms presence of CVE-2025-55182 (see attached trivy-report.json)
Slack messages confirm attack occurred on December 4, 2025
Code dependencies traced to potentially vulnerable upstream repository
Required Actions
Immediate Remediation
Update to patched versions:
For React packages:
json
{
"react": "^19.0.1", // or 19.1.2, or 19.2.1
"react-dom": "^19.0.1",
"react-server-dom-webpack": "^19.0.1"
}
For Next.js:
Next.js 15.x → Update to latest patched 15.x
Next.js 16.x → Update to 16.0.7 or higher
Next.js 14 canary → Replace with stable patched version
Verification Steps
Run dependency audit:
bash
npm audit
or
yarn audit
Scan with Trivy:
bash
trivy fs . --severity CRITICAL
Update package.json and regenerate lockfiles:
bash
npm update
npm install
References
React Security Advisory
Next.js Security Update
AWS Security Bulletin AWS-2025-030
Microsoft Security Blog Analysis
Wiz Research: React2Shell Technical Analysis
Additional Context
This issue affects the upstream repository at https://github.com/livekit-examples/agent-starter-embed which may also require patching. Consider opening an issue there as well if not already addressed.
Priority
Critical - This vulnerability has a CVSS score of 10.0 and is being actively exploited. Immediate patching is required to prevent further compromise.
Would you like me to help format this differently or add any specific details from your Trivy scan results?
Prepared using Claude Sonnet 4.5
Follow-ups
How to patch Next.js for CVE-2025-55182
Is my React app vulnerable to React2Shell
Trivy or Clair scan for CVE-2025-55182 in Docker
Qualys QID for detecting React2Shell
Real world exploitation PoC for CVE-2025-55182
This repository contains a critical remote code execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) affecting React Server Components. The vulnerability was disclosed on December 3, 2025, and is actively being exploited in the wild.
Vulnerability Details
CVE ID: CVE-2025-55182 (also known as React2Shell)
Severity: Critical (CVSS 10.0)
Type: Unauthenticated Remote Code Execution
Disclosure Date: December 3, 2025
Exploitation Status: Active exploitation confirmed since December 5, 2025
Affected Components
Based on Trivy scan results and code review, this repository uses vulnerable versions from:
package.json sourced from livekit-examples/agent-starter-embed
Affected packages:
React Server Components (versions 19.0.0, 19.1.0-19.1.1, 19.2.0)
Next.js 15.x, 16.x (versions prior to patched releases)
Next.js 14.3.0-canary.77 and later canary releases with App Router
Impact
This vulnerability allows attackers to:
Execute arbitrary code on the server through a single malicious HTTP request
Exploit default configurations without any code changes by developers
Gain unauthorized remote code execution (RCE) on affected application servers
Confirmed Attack: Our production environment was compromised on December 4, 2025 (one day after disclosure), which correlates with the timeline of widespread exploitation reported by security researchers.
Evidence
Trivy vulnerability scan confirms presence of CVE-2025-55182 (see attached trivy-report.json)
Slack messages confirm attack occurred on December 4, 2025
Code dependencies traced to potentially vulnerable upstream repository
Required Actions
Immediate Remediation
Update to patched versions:
For React packages:
json
{
"react": "^19.0.1", // or 19.1.2, or 19.2.1
"react-dom": "^19.0.1",
"react-server-dom-webpack": "^19.0.1"
}
For Next.js:
Next.js 15.x → Update to latest patched 15.x
Next.js 16.x → Update to 16.0.7 or higher
Next.js 14 canary → Replace with stable patched version
Verification Steps
Run dependency audit:
bash
npm audit
or
yarn audit
Scan with Trivy:
bash
trivy fs . --severity CRITICAL
Update package.json and regenerate lockfiles:
bash
npm update
npm install
References
React Security Advisory
Next.js Security Update
AWS Security Bulletin AWS-2025-030
Microsoft Security Blog Analysis
Wiz Research: React2Shell Technical Analysis
Additional Context
This issue affects the upstream repository at https://github.com/livekit-examples/agent-starter-embed which may also require patching. Consider opening an issue there as well if not already addressed.
Priority
Critical - This vulnerability has a CVSS score of 10.0 and is being actively exploited. Immediate patching is required to prevent further compromise.
Would you like me to help format this differently or add any specific details from your Trivy scan results?
Prepared using Claude Sonnet 4.5
Follow-ups
How to patch Next.js for CVE-2025-55182
Is my React app vulnerable to React2Shell
Trivy or Clair scan for CVE-2025-55182 in Docker
Qualys QID for detecting React2Shell
Real world exploitation PoC for CVE-2025-55182