← Homepage Bigrock Status Page

Security Advisory: VPS/DEDI Linux - CVE-2025-55182 (React2Shell) – Critical RCE Vulnerability

Posted on 9th December, 2025

Overview

CVE-2025-55182, also known as React2Shell, is a critical Remote Code Execution (RCE) vulnerability disclosed on December 3, 2025. This vulnerability affects React Server Components used within certain Next.js deployments and can allow attackers to execute arbitrary code on the server.

Affected versions

React:

  • Versions 19.0 and above

Next.js:

  • Versions15.x
  • Versions 16.x
  • Versions 14.3.0-canary.77 and later canary releases (when using App Router)

References

Impact

Exploitation of this vulnerability may allow attackers to gain unauthorized control of the server, execute arbitrary commands, deploy malware, or compromise sensitive application data.

How to Check if Your Server Is Infected by CVE-2025-55182 (React2Shell)?

  1. Look for suspicious .js, .mjs, .tsx, or .jsx files that are not uploaded by you or used by your applications and remove them

Command: find / -type f -name "*.js" -exec grep -i "child_process" {} ;

Note: This command might take time depending on the disk usage of the server

  1. Check for unusual or suspicious processes and kill them

Command: ps aux | grep node or top

  1. Audit the network connections and block the suspicious IP addresses

Command: netstat –plan

  1. Look for suspicious POST log in the domain log or application log

  2. Scan you server using applications like Maldet

Mitigation Steps

Scenario 1: Server is infected with malware

If your server shows signs of compromise:

  • Rebuild the server
  • Upgrade React and Next.js to the latest patched versions with the assistance of your server administrator or web developer.
  • Restore the site contents from a clean backup
  • After restoration, perform the following security steps:
    • Change the root password and passwords for all related applications.
    • Perform a full server scan to ensure there are no malicious files or processes.

Scenario 2: Server is not infected with malware

If no compromise is detected:

  • Upgrade React and Next.js to the latest patched versions with the assistance of your server administrator or web developer.
  • Change the root password and passwords for all associated applications.
  • Conduct a thorough scan to confirm that no malicious content or processes are present.

If you have any questions, please feel free to contact our Support Team.

View History

Powered by Pulse