




















*Updated on December 15, 2025: Zscaler ThreatLabz updated this advisory because the original fix for CVE-2025-55182 was incomplete. While versions 19.0.1, 19.1.2, and 19.2.1 were originally considered safe, versions 19.0.2, 19.1.3, and 19.2.2 remain vulnerable. Additionally, two new vulnerabilities were disclosed that also require patching: CVE-2025-55184 and CVE-2025-55183. Please refer to the updated patched versions listed in the table below.
On December 3, 2025, Meta and Vercel disclosed CVE-2025-55182, a critical vulnerability in React Server Components (RSC) with the maximum CVSS score of 10.0. This flaw allows unauthenticated remote code execution (RCE) on impacted servers. Dubbed React2Shell, this vulnerability exploits the Flight protocol used in RSC and can be triggered by a malicious HTTP POST request. Even applications with default React configurations are impacted.
Since this disclosure, over 4,100 exploitation attempts have been observed within the first two hours, including attacks by a China-based threat actor. Zscaler ThreatLabz recommends treating CVE-2025-55182 as a priority to prevent potential exploitation. Zscaler customers using Zscaler Deception technology had observed exploitation attempts within their perimeter-facing decoy applications, which enabled them to take immediate and proactive measures to mitigate this threat.
ANALYST NOTE: Initially, a second vulnerability (CVE-2025-66478) was assigned to Next.js, but it has since been rejected as a CVE due to being a duplicate of CVE-2025-55182 upon further review.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。