CVE-2025-55182: React2Shell Vulnerability

c8y_security · December 10, 2025, 7:17am

Overview

A recently disclosed React2Shell vulnerability affects applications that use React Server Components (RSC) or frameworks that implement RSC infrastructure. The vulnerability allows unauthenticated remote code execution (RCE) on the server due to insecure deserialization. The issue stems from unsafe handling of server actions and the React Flight protocol, potentially allowing RCE in affected configurations.

CVE ID: CVE-2025-55182
CVSS Score: 10

Impact on Cumulocity Platform

The Cumulocity Platform does not use React Server Components (RSC) and none of our applications rely on Next.js or any RSC-enabled framework.

After a thorough internal review, we confirm that the Cumulocity Platform and all its components are NOT AFFECTED by the React2Shell vulnerability. No part of our product stack uses React Server Components, Next.js, Redwood, Waku, or any react-server / RSC-related libraries required to trigger this issue.

We will continue monitoring upstream advisories and maintain proactive security posture across our UI technologies.

References

In case of further questions, please contact Cumulocity support.

Topic		Replies	Views
Critical Security Vulnerability Identified in Cumulocity Platform Security updates security-alert	0	187	December 11, 2025
How to resolve vulnerability issue in @C8y? Forum cumulocity	3	611	July 29, 2021
Update: “MongoBleed” Vulnerability does not impact Cumulocity Security updates security	0	25	January 7, 2026
[Update] Cumulocity Platform not affected by Kubernetes NGINX Controller vulnerabilities Security updates security	0	174	March 31, 2025
How to host a react application on Cumulocity IoT Forum cumulocity	7	1163	August 10, 2023

CVE-2025-55182: React2Shell Vulnerability

Overview

Impact on Cumulocity Platform

References

Related topics