React.js shell shocked by 10.0 critical vulnerability…

Name: React.js shell shocked by 10.0 critical vulnerability…
Uploaded: 2025-12-09T12:00:00.000000Z
Description: Fireship breaks down CVE-2025-55182 (React2Shell), a CVSS 10.0 RCE vulnerability in React’s server components flight protocol affecting millions of apps. CVE-2025-55182 allows unauthenticated HTTP req…

Dec 9, 2025 · security · Source ↗

Watch on YouTube ↗ Summary based on the YouTube transcript and episode description.

Fireship breaks down CVE-2025-55182 (React2Shell), a CVSS 10.0 RCE vulnerability in React’s server components flight protocol affecting millions of apps.

CVE-2025-55182 allows unauthenticated HTTP request to full shell access on default React server component configs.
The flaw is in React Flight Protocol deserialization: malicious payloads produce object graphs that enable arbitrary server-side code execution.
Affected packages are specific React server components versions; developers can check exposure via a single npm command listed in the advisory.
Over 2 million vulnerable servers estimated; real attack traffic observed within hours of public disclosure.
Amazon detected attack attempts linked to Chinese hacking groups almost immediately after disclosure.
Compared in severity to Log4Shell (2021), which triggered millions of attacks and nearly destabilized global infrastructure.
Next.js is a primary blast radius given its default use of React server components at scale.

2025-12-09 · Watch on YouTube

Related coverage

Millions of WordPress sites just got hacked... again

NPM website was down

Three men are facing charges in Toronto SMS Blaster arrests

The woes of sanitizing SVGs