DIVD-2025-00042 - React2shell vulnerability
| Our reference | DIVD-2025-00042 |
| Case lead | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions | React Advisory |
| Recommendation | Apply the patches released by React as described in the official advisory. If patching is not possible immediately, restrict or disable access until mitigations can be applied. |
| Patch status | Available |
| Workaround | If patching is not immediately possible, consider disabling functionality or limiting access to trusted networks only. |
| Status | Open |
| Last modified | 11 Dec 2025 17:11 CET |
Summary
The vulnerability (CVE-2025-55182) with a CVSS of 10 in React is a newly disclosed vulnerability that exposes affected systems to the risk of unauthorized access and potential compromise. DIVD initiated case DIVD-2025-00042 four days ago to investigate the scope and severity of the issue, identify affected systems, alert impacted organizations, and provide remediation guidance.
Based on available information:
- Impact: High — may allow remote attackers to gain unauthorized access, execute code, or extract sensitive data.
- Attack Vector: Remote
- Affected Systems: Multiple systems detected during scanning; vendors vary depending on deployment context.
- Ease of Exploitation: Unknown; investigation ongoing.
What you can do
DIVD recommends the following actions for all affected or potentially affected organizations:
- Apply vendor patches immediately once available.
- Disable exposed services if patching is not immediately possible.
- Implement network restrictions to limit remote access to vulnerable components.
- Monitor logs and systems for signs of exploitation attempts.
- Follow vendor advisories as additional details emerge.
What we are doing
We are scanning for React instances exposed to the internet that may be vulnerable to these flaws. We will notify affected parties so they can take appropriate action.
Timeline
| Date | Description |
|---|---|
| 08 Dec 2025 | Case started by DIVD CSIRT. |
| 08 Dec 2025 | DIVD CSIRT started scanning |
| 11 Dec 2025 | First batch of notifications are being send |
gantt
title DIVD-2025-00042 - React2shell vulnerability
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2025-00042 - React2shell vulnerability (still open) :2025-12-08, 2025-12-21
section Events
Case started by DIVD CSIRT. : milestone, 2025-12-08, 0d
DIVD CSIRT started scanning : milestone, 2025-12-08, 0d
First batch of notifications are being send : milestone, 2025-12-11, 0d