A newly disclosed critical vulnerability in React Server Components, designated CVE-2025-55182 and assigned the maximum CVSS severity score of 10.0, has exposed internet-facing smart home control platforms to pre-authentication remote code execution attacks that enable adversaries to infiltrate device management infrastructure without prior credentials.
The flaw, affecting React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0—as well as frameworks built upon these versions including Next.js—stems from unsafe deserialization and server-side prototype pollution in the React Flight protocol, permitting attackers to execute arbitrary code on vulnerable servers through specially crafted HTTP requests to server function endpoints.
Smart home ecosystems face elevated risk because cloud dashboards, companion web applications, and administrative portals managing devices frequently leverage React and Next.js frameworks for user-facing interfaces and API backends.
React Server Components power configuration consoles and vendor portals that indirectly control smart locks, cameras, thermostats, and centralized hubs, while smart home gateways and local controllers hosting web UIs built on affected React versions present additional attack surfaces across residential and commercial building networks.
Third-party integrator and original equipment manufacturer portals managing deployed device fleets constitute centralized, high-value targets when implemented using vulnerable frameworks, and numerous third-party React components embedded within smart home orchestration platforms amplify indirect exposure to CVE-2025-55182.
Successful exploitation of vulnerable React servers provides attackers multiple pathways to compromise connected smart home devices, including theft or manipulation of device access tokens, API keys, and OAuth credentials essential for device management.
Remote code execution capabilities permit direct invocation of smart home vendor APIs to issue unauthorized commands such as opening doors or disabling security alarms, while attackers can modify automation scripts, scenes, and schedules to trigger unsafe device behavior including timed camera deactivation.
Lateral movement from compromised web servers into IoT management networks or message brokers—including MQTT, AMQP, and proprietary communication buses—enables deeper penetration, and malicious firmware or configuration updates distributed through compromised update orchestration services can propagate tampered configurations across extensive device populations.
Observed exploitation attempts have included environment variable exfiltration payloads designed to capture API credentials and secrets stored in .env files commonly used to configure smart home backend services.
Security advisories confirm rapid exploitation following disclosure, with AWS analysis attributing early reconnaissance activity to China-nexus cyber threat groups targeting high-value cloud infrastructure utilizing React and Next.js deployments. Amazon’s next-generation Alexa+ AI assistant with agentic capabilities is among the smart home platforms potentially vulnerable to exploitation through its web interfaces. Remediation requires immediate patching to React Server Components versions 19.0.1, 19.1.2, or 19.2.1, as public proof-of-concept code has accelerated attacker capability to weaponize the vulnerability against unpatched systems.
References
- https://www.dynatrace.com/news/blog/cve-2025-55182-react2shell-critical-vulnerability-what-it-is-and-what-to-do/
- https://securitylabs.datadoghq.com/articles/cve-2025-55182-react2shell-remote-code-execution-react-server-components/
- https://www.cmu.edu/iso/news/2025/react2shell-critical-vulnerability.html
- https://cyble.com/blog/react2shell-cve-2025-55182-rapid-exploitation/
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-react-flight-TYw32Ddb
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
