How to Find CVE-2025-55182 (React2Shell) with Kiuwan

In late 2025, a critical remote code execution vulnerability—CVE-2025-55182, widely dubbed React2Shell—was disclosed in React Server Components (RSC) and ecosystems that bundle them (e.g., React 19.x and Next.js frameworks). This flaw allows unauthenticated attackers to execute arbitrary code on server-side environments via crafted HTTP payloads. It carries a maximum severity rating (CVSS 10.0) and is under active exploitation in the wild. (Carnegie Mellon University)

The root cause is unsafe deserialization in the RSC “Flight” protocol—a core mechanism for how client requests are processed server-side. Attackers can weaponize this flaw with a single HTTP request, and default deployments are exposed without special configuration. (Microsoft)

For security teams and application owners, understanding and mitigating CVE-2025-55182 is now imperative. Kiuwan’s static analysis and dependency insight capabilities can help you find, prioritize, and remediate exposure across your codebases and supply chain.

1. What CVE-2025-55182 Means for Your Business

The vulnerability’s implications are serious—even if your team isn’t deep into security:

• Server takeover risk: An attacker can achieve full server-side execution on affected systems without authentication. (Dataminr)
• Wide impact surface: This isn’t limited to direct React use—many frameworks (e.g., Next.js App Router) bundle vulnerable RSC packages, meaning transitive dependencies matter. (Orca Security)
• Default configuration exposure: Most standard app templates expose the vulnerable payload handler without extra configuration. (Vanta)
• Urgency: Exploits and scanning tools are publicly available, with active scanning and malicious payloads seen within hours of disclosure. (Google Cloud)

From a business risk perspective, failure to detect and remediate this issue can lead to data breaches, system compromise, downtime, and reputational damage. Prioritization and visibility will differentiate secure software leaders from reactive responders.

2. How Kiuwan Helps You Detect CVE-2025-55182 Exposure

Kiuwan operates at two complementary levels:

A. Codebase & Static Analysis

Kiuwan inspects JavaScript and TypeScript code to uncover:

• Direct use of vulnerable react-server-dom-* packages
• Server Function endpoints that may deserialize untrusted inputs
• Patterns indicating unsafe handling of serialized data

These checks help you shift left—surfacing risk in source before deployment.

Action Steps with Kiuwan:

1. Ensure your Kiuwan profiles include JavaScript/Node.js analysis.
2. Run scans on all repositories that might include React Server Components.
3. Review findings for any server-side entry points that accept external payloads.

B. Dependency & Supply Chain Analysis

A key challenge with CVE-2025-55182 is its transitive nature—many teams don’t explicitly depend on React Server Components, yet frameworks they use do. Kiuwan’s dependency insights help you identify:

• Presence of vulnerable packages via package managers (package.json, lock files)
• Out-of-date versions of react-server-dom or bundled frameworks like Next.js

What to look for:

• Versions of react-server-dom-parcel, react-server-dom-webpack, react-server-dom-turbopack in the range 19.0.0 – 19.2.0. (Carnegie Mellon University)
• Next.js and other frameworks bundling those packages.
• Transitive inclusion via plugins and build tools.

Action Steps:

1. Configure Kiuwan to ingest and parse JavaScript dependency manifests.
2. Analyze dependency graphs across all microservices and libraries.
3. Flag and list all projects, including vulnerable versions of vulnerable packages.

3. Prioritizing Findings: Risk + Business Impact

Kiuwan’s dashboards help contextualize findings by impact and exposure. For CVE-2025-55182:

• High-Priority: Any externally-facing service using RSC or containing server functions.
• Medium-Priority: Internal services with RSC but limited access that still bundle vulnerable packages.
• Low-Priority: Pure front-end client-side React code with no server components (still worth validating).

Use Kiuwan’s scoring and customizable risk policies to prioritize fixes that protect customer data and externally exposed infrastructure.

4. Remediation Guidance

Once Kiuwan identifies exposure to CVE-2025-55182, steps to remediate should include:

A. Patch Dependencies

• Upgrade to patched versions—e.g., React RSC packages at 19.0.1, 19.1.2, 19.2.1 or newer. (Canadian Centre for Cyber Security)
• Update frameworks like Next.js to versions that bundle fixed RSC components. (Reddit)

B. Remove or Restrict Server Functions

Where possible, disable or restrict server-side endpoints that process untrusted client payloads.

C. Add Network/Runtime Controls

• Deploy Web Application Firewall (WAF) protections (e.g., Cloudflare emergency rules). (cirt.gov.bd)
• Limit public access to RSC endpoints until patched.

D. Continuous Monitoring

Integrate findings into CI/CD—ensure Kiuwan scans run on every branch and pull request to catch regressions.

5. Final Thoughts

CVE-2025-55182—React2Shell—stands out not only for its severity but for the ecosystem entanglement that makes blind spots common. The combination of default exposure, transitive dependencies, and real-world exploit activity underscores one truth: visibility equals resilience.

By leveraging Kiuwan’s static and dependency analysis, you gain that visibility—not just into raw vulnerabilities, but into where your business stands and how rapidly you can act to protect users and infrastructure.

Stay proactive. Stay informed. Use Kiuwan to see what others might miss.