Researcher Discovers Critical React2Shell RCE Vulnerability (CVE-2025-55182) Affecting Millions of Websites
By
mufeedvh
23d ago· 18 min readenInsight
98/100
Golden Brown
Bagelometer↗
Master baker tier. Every paragraph earns its place on the tray.
Score98TypeanalysisSentimentneutral
Summary
A security researcher recounts discovering a critical remote code execution vulnerability (CVE-2025-55182, dubbed "React2Shell") in the React JavaScript library. Reported to Meta on November 30, 2025, the vulnerability was patched by December 3, 2025. The researcher initially set out to understand a protocol for hacking modern web applications but unexpectedly uncovered a critical flaw affecting millions of websites. The post details the discovery process, the vulnerability's impact, and the subsequent fix.
Key quotes
· 4 pulledOn November 30th 2025, I reported a critical remote code execution vulnerability ("React2Shell") to Meta.
On December 3rd, Meta released a fix and public advisory (CVE-2025-55182), urging developers to immediately update.
Funnily enough, I didn't set out to find a vulnerability in React. I just wanted to understand a protocol so I could be better at hacking modern web applications.
But instead, I fell down a rabbit hole to a critical vulnerability that affected millions of websites.
The story of CVE-2025-55182 (React2Shell)
