Skip to main content

React2Shell Impact Report

On December 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability was disclosed in React Server Components, known as React2Shell (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779). To learn more about the vulnerability, see our React2Shell response documentation.

To help you assess which of your components and applications are impacted, Sonatype has released a React2Shell Impact Report.

Tip

Sonatype’s vulnerability detection operates at the file level, not just the component level. Our report results reflect only the vulnerabilities present in the specific files included in your components and applications. This precision helps eliminate noise and ensures you're focused on real risk.

About the React2Shell Impact Report

Screenshot_2026-02-03_at_6_47_59_AM.png

The React2Shell Impact Report provides a high-level summary of React2Shell vulnerability impact, showing how affected applications and components are distributed across your organization.

This report helps security and development teams:

  • Identify applications impacted by React2Shell vulnerabilities.

  • Understand which components and versions are affected.

  • Track remediation progress across applications.

  • Review waiver status at a glance.

The report focuses on visibility and awareness, not detailed remediation execution.

Impact Summary

When you open the React2Shell Impact Report, summary metrics at the top of the page provide an immediate view of overall impact, including:

  • Number of affected applications

  • Number of affected components

  • Number of violating components

  • Number of active waivers

These metrics reflect the most recent application evaluation data and update after each scan.

Note

The React2Shell Impact Report currently addresses only the following CVEs: CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779.

Impact Summary Table

Below the summary metrics, the impact table provides a detailed view of affected components across applications.

The table includes information such as the following:

  • Application

  • Stage

  • Component

  • Component version

  • Vulnerability ID

  • Recommended action

  • Active waiver status

  • Evaluation status

You can sort the table by column and use pagination controls to navigate large result sets. This allows teams to quickly review affected areas and prioritize follow-up actions.

Exporting the Report

You can export the React2Shell Impact Report directly from the Sonatype Lifecycle user interface and download the report data as a CSV file. Alternatively, you can use the downloadComponentSearchReport endpoint in the Component Search REST API.

To download the CSV from the user interface, take the following actions:

  1. In the Lifecycle user interface, navigate to Enterprise ReportingReact2Shell Impact Report or to Operational ReportingReact2Shell Impact Report if your organization does not use Enterprise Reporting.

  2. Select Download CSV to download the CSV file that contains the report information.

The downloaded file includes information about component versions, implicated files, suggested remediation actions, and any active waivers.

Note

Report details are limited to your user permission level. For full details, be sure to download the report using an administrator account with full permissions.