Critical RCE Patch Deployed: CVE-2025-55182 'React2Shell' Vulnerability in Payment Service

A critical, pre-authentication remote code execution (RCE) vulnerability, tracked as CVE-2025-55182 (React2Shell), has been patched in a Tier 3 Critical Payment Service. The flaw, with a CVSS score of 9.8, resided in React Server Components and allowed attackers to execute arbitrary code via malicious HTTP POST requests to server function endpoints before any user authentication. This exposed the core payment processing infrastructure to potential takeover.

The security fix required immediate updates to core dependencies. The `next` package was upgraded from version 15.2.0 to 15.2.9, and `react-server-dom-webpack` was updated from 19.1.0 to 19.1.2. These patches specifically address an unsafe deserialization flaw within the React framework's server-side components, which was the root cause enabling the RCE. The vulnerability was identified under the internal finding ID `qualys-tas:c093f139-1f4d-4c45-82de-ca6feae1e79c`.

While the patch is now deployed, the incident highlights the severe risks posed by supply-chain vulnerabilities in modern web frameworks, especially within critical financial transaction services. The pre-auth nature of the exploit means attackers would not need to compromise user accounts, allowing direct server compromise. Organizations using similar React Server Components architectures, particularly in payment or sensitive data handling services, must urgently verify their dependency versions are patched against this critical advisory.