Critical vulnerability in RSC

Critical vulnerability in RSC (React Server Component) identified as CVE-2025-55182, known as React2Shell. ❗️ CVSS Score: 10.0 (Critical) ⚙️ Attack Complexity: Low 🔒 Required Privileges: None ℹ️ User Interaction: None ⚠️ Impact Level: Full system compromise possible On November 29, Lachlan Davidson reported a security vulnerability in React that allows unauthorized remote code execution by exploiting a flaw in how payloads are decoded at React Server Function endpoints. Even if your application does not implement any React Server Function endpoints, it may still be vulnerable if it supports React Server Components. ❗️Frameworks that package RSC include: - Next.js (App Router + RSC) - Vite RSC plugins - Parcel RSC tools - Redwood SDK - Waku, etc. ❌ This vulnerability exists in the following versions: - 19.0 - 19.1.0 - 19.1.1 - 19.2.0 Affected packages: - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack 🛡 A fix has been provided in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages, please upgrade to one of the patched versions immediately. 📌 This patch indicates that the vulnerability is a server-side prototype pollution issue, a subset of prototype pollution applicable to server components. 💬 Sources: 📌 [React2Shell](https://react2shell.com/) 📌 [React Blog on Critical Security Vulnerability](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) 📌 POC for Next.js 16.0.6 📌 Original POCs 📌 Analysis and exploitation of the vulnerability 📌 Nuclei template 📌 VulHub POCs 📌 Detection