Critical Remote Code Execution vulnerability scanner and automated patcher for React Server Components
Author: Processware
License: MIT
Version: 2.0.0
CVE: CVE-2025-55182 (CVSS 10.0 - CRITICAL)
CVE-2025-55182 is an unauthenticated remote code execution (RCE) vulnerability in React Server Components with a CVSS score of 10.0 (maximum severity).
- ✅ Actively exploited in the wild by China-nexus threat groups
- ✅ Added to CISA Known Exploited Vulnerabilities catalog (Dec 5, 2025)
- ✅ No authentication required - attackers can exploit remotely
- ✅ Full system compromise possible through malicious HTTP requests
- React 19.0.0 → Update to 19.0.1
- React 19.1.0 → Update to 19.1.2
- React 19.1.1 → Update to 19.1.2
- React 19.2.0 → Update to 19.2.1
If you're running any of these versions, patch immediately.
USE THIS SCRIPT AT YOUR OWN RISK
The authors of this script are NOT responsible for:
- Data loss or corruption
- Broken dependencies or build failures
- Unexpected behavior in your projects
- Any damage caused by running this script
Before using this script:
- ✅ Backup all your project files - This is mandatory
- ✅ Test in a non-production environment first
- ✅ Review the script code - Understand what it does
- ✅ Have a rollback plan - Know how to revert changes
This script modifies your package.json files. Mistakes can break your projects.
CVE-2025-55182 allows attackers to execute arbitrary code on servers running vulnerable React versions. The vulnerability exists in React Server Components' payload deserialization logic.
Even if your app doesn't implement React Server Function endpoints, it may still be vulnerable if it uses React Server Components.
This scanner helps you:
- ✅ Detect vulnerable React installations system-wide
- ✅ Automatically update to patched versions
- ✅ Protect Docker containers, system services, and user projects
- ✅ Prevent exploitation of CVE-2025-55182
This scanner needs system-wide access to find all vulnerable React installations, including:
- Docker containers:
/var/lib/docker/- Containerized applications - System services:
/opt/,/srv/- Production deployments - Application directories:
/usr/local/- System-wide installations - Root projects:
/root/- Admin-owned projects - User directories:
/home/- All user accounts
- Program Files:
C:\Program Files\,C:\Program Files (x86)\ - User directories:
C:\Users\ - Application data:
C:\ProgramData\
Without elevated privileges, the scanner can only check your personal home directory, potentially missing critical vulnerable installations in production environments.
git clone https://github.com/me-processware/check-react.git
cd check-reactDownload the script for your platform:
- Windows:
check_react.ps1 - macOS/Linux:
check_react.sh - Node.js:
check_react.js
# Make script executable
chmod +x check_react.sh
# Run with sudo for full system scan
sudo ./check_react.sh# See what would be updated without making changes (no sudo needed)
./check_react.sh --dry-run./check_react.sh --help# Run PowerShell as Administrator, then:
.\check_react.ps1# No admin privileges needed for dry-run
.\check_react.ps1 -DryRun.\check_react.ps1 -HelpNote: If you get an execution policy error:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser# Linux/macOS
sudo node check_react.js
# Windows (run PowerShell as Administrator)
node check_react.js# No sudo/admin needed for dry-run
node check_react.js --dry-runnode check_react.js --help- System-wide scanning - Finds vulnerable React installations everywhere
- CVE-2025-55182 detection - Specifically checks for this critical vulnerability
- Automatic updates - Patches to safe versions with user confirmation
- Backup creation - Saves
package.jsonbefore making changes - Dry-run mode - Preview changes without modifying anything
- Multiple package managers - Supports npm and yarn
- Input validation - Prevents command injection attacks
- Detailed reporting - Shows exactly what was found and updated
- Does NOT modify system files
- Does NOT install additional dependencies
- Does NOT change other packages (only React and React-DOM)
- Does NOT work offline (requires npm registry access)
- Does NOT guarantee 100% protection (always review security logs)
- Verifies sudo/admin privileges for system-wide scan
- Allows dry-run mode without elevated privileges
Searches the following locations:
- Linux/macOS:
/root,/home,/var/lib/docker,/opt,/srv,/usr/local - Windows:
C:\Users,C:\Program Files,C:\Program Files (x86),C:\ProgramData
Finds all package.json files (excluding node_modules) up to 10 levels deep.
For each package.json found:
- Reads and parses the file
- Checks
dependencies.reactanddevDependencies.react - Compares version against CVE-2025-55182 vulnerable versions
- Reports matches with recommended patch version
For each vulnerable project:
- Displays project location and current version
- Shows CVE details and recommended update
- Asks user for confirmation (y/n)
- Only proceeds if user confirms
When user confirms:
- Creates timestamped backup of
package.json - Detects package manager (npm or yarn)
- Runs
npm installoryarn addwith patched version - Reports success or failure
- Continues to next project
Shows final statistics:
- Total vulnerable installations found
- Total projects successfully updated
- Remaining vulnerable projects (if any)
- Recommended actions
$ sudo ./check_react.sh
╔════════════════════════════════════════════════════════════╗
║ React CVE-2025-55182 Vulnerability Scanner (React2Shell) ║
╚════════════════════════════════════════════════════════════╝
⚠️ CVE-2025-55182: CRITICAL (CVSS 10.0)
Unauthenticated Remote Code Execution in React Server Components
Actively exploited in the wild - Immediate patching required
=== Scanning System for Vulnerable React Installations ===
Scanning directories:
• User home directories
• Docker containers (/var/lib/docker)
• System services (/opt, /srv)
• Application directories (/usr/local)
Scanning: /home
⚠️ VULNERABLE: React 19.0.0
📁 Location: /home/user/myapp
🔒 CVE-2025-55182: Remote Code Execution
📦 Update to: 19.0.1
Scanning: /var/lib/docker
⚠️ VULNERABLE: React 19.1.0
📁 Location: /var/lib/docker/containers/abc123/app
🔒 CVE-2025-55182: Remote Code Execution
📦 Update to: 19.1.2
═══════════════════════════════════════════════════════════
CRITICAL: 2 Vulnerable Installation(s) Found
═══════════════════════════════════════════════════════════
These installations are vulnerable to CVE-2025-55182:
• Unauthenticated Remote Code Execution
• CVSS Score: 10.0 (CRITICAL)
• Actively exploited in the wild
=== Update Vulnerable Projects ===
Project 1/2: /home/user/myapp
Update to React 19.0.1? (y/n): y
📦 Updating React to 19.0.1...
📁 In: /home/user/myapp
💾 Backup created: package.json.backup.20251211_143022
Using npm...
✅ Successfully updated!
Project 2/2: /var/lib/docker/containers/abc123/app
Update to React 19.1.2? (y/n): y
📦 Updating React to 19.1.2...
📁 In: /var/lib/docker/containers/abc123/app
💾 Backup created: package.json.backup.20251211_143045
Using npm...
✅ Successfully updated!
═══════════════════════════════════════════════════════════
SUMMARY
═══════════════════════════════════════════════════════════
⚠️ 2 vulnerable installation(s) found
✅ 2 project(s) updated
Your system is now protected against CVE-2025-55182
═══════════════════════════════════════════════════════════- All version strings validated against regex:
^[\^~]?\d+\.\d+\.\d+ - Prevents command injection attacks
- Rejects malformed version strings
- Uses
lstat()to detect and skip symlinks - Prevents infinite loops on circular symlinks
- Limits recursion depth to 10 levels
- Skips common directories (
node_modules,.git, etc.)
- Automatically creates timestamped backups
- Format:
package.json.backup.YYYYMMDD_HHMMSS - Stored alongside original files
- Allows manual rollback if needed
- Preview all changes before applying
- No elevated privileges required
- Safe testing environment
- Shows exact commands that would be executed
Linux/macOS:
# Make sure you're using sudo
sudo ./check_react.sh
# Check script permissions
chmod +x check_react.shWindows:
# Run PowerShell as Administrator
# Right-click PowerShell → "Run as Administrator"Common causes:
- Outdated npm → Update:
npm install -g npm@latest - Network issues → Check internet connection
- Dependency conflicts → Review error messages
- Disk space → Ensure sufficient disk space
Solution:
- Run with
--dry-runto see what would happen - Navigate to project directory manually
- Run
npm install react@VERSION --savedirectly - Review error messages for specific issues
This is good news! It means:
- ✅ Your React versions are patched
- ✅ No CVE-2025-55182 vulnerabilities detected
- ✅ Your system is protected
If an update breaks something, restore from backup:
# List available backups
ls -la package.json.backup.*
# Restore specific backup
cp package.json.backup.20251211_143022 package.json
# Reinstall dependencies
npm installType: Unauthenticated Remote Code Execution (RCE)
CVSS Score: 10.0 (CRITICAL)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Vulnerability: Unsafe deserialization in React's Flight protocol when handling server component payloads. Attackers can craft malicious HTTP requests to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.
Affected Packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Timeline:
- Nov 29, 2025: Discovered by Lachlan Davidson
- Dec 3, 2025: Publicly disclosed, patches released
- Dec 5, 2025: Added to CISA Known Exploited Vulnerabilities
- Ongoing: Active exploitation by threat actors
- Official React Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- CISA Alert: https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog
- Wiz Research: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- Palo Alto Unit 42: https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/
Found a bug? Have a suggestion? Please open an issue on GitHub: https://github.com/me-processware/check-react/issues
If you discover a security vulnerability in this script, please email security@processware.com instead of using the issue tracker.
- ✅ BREAKING: Now requires sudo/admin for system-wide scan
- ✅ Added CVE-2025-55182 specific detection and warnings
- ✅ System-wide scanning (Docker, services, all users)
- ✅ Dry-run mode for safe testing
- ✅ Improved output with CVE details
- ✅ Enhanced security warnings
- ✅ Better error handling and reporting
- ✅ Initial release
- ✅ Support for Windows, macOS, Linux
- ✅ JavaScript, PowerShell, and Bash versions
- ✅ Input validation and command injection prevention
- ✅ Backup creation before updates
MIT License - See LICENSE file for details
For questions or issues:
- Check the Troubleshooting section
- Review the Example Output section
- Open an issue on GitHub
- Contact: support@processware.com
This vulnerability is actively being exploited. If you find vulnerable installations:
- ✅ Patch immediately - Don't delay
- ✅ Review security logs - Check for exploitation attempts
- ✅ Isolate vulnerable systems - Until patched
- ✅ Monitor for suspicious activity - Ongoing vigilance required
The scanner is a tool, not a silver bullet. Always maintain defense-in-depth security practices.
Last Updated: December 11, 2025
Maintained by: Processware
CVE: CVE-2025-55182 (CVSS 10.0)