{"id":105983,"date":"2025-12-04T21:54:50","date_gmt":"2025-12-04T19:54:50","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=105983"},"modified":"2026-02-27T20:39:26","modified_gmt":"2026-02-27T18:39:26","slug":"react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/","title":{"rendered":"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js"},"content":{"rendered":"<style type=\"text\/css\">@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");@font-face{font-family:'Hack';src:url('https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/hack-font\/3.3.0\/web\/fonts\/hack-regular-subset.woff2') format('woff2')}:root{--code-font:'Hack','Menlo','Consolas',monospace !important;--code-bg:#1e1e1e;--code-color:#0c1;--code-dim:#071;--text-color:#121185;--highlight-color:#f8ff91;--highlight-color-alt:#736ca0}article.content{max-width:100% !important;min-width:80% !important;width:99% !important}.wp-block-code code{text-wrap:nowrap !important}figure{margin-top:1.5rem;margin-bottom:1.5rem}p.caption,figcaption{font-size:1rem !important;font-style:italic !important;color:var(--code-dim) !important}p.caption *,figcaption *{font-size:inherit !important}div.callout{max-width:80% !important;padding-top:.5rem;padding-bottom:.5rem;margin-top:1rem;margin-bottom:1rem;display:block;margin-left:10%;border-top:.3rem solid #121185;border-bottom:.3rem solid #121185}div.callout p{font-size:x-large;text-align:left;font-weight:bold}.cxzero-video-include{display:block;max-width:1920px;width:100%;padding-top:1rem;padding-bottom:1rem}.cxzero-video-include video{display:block;padding:.5rem;background-color:var(--code-bg);width:98%;object-fit:cover}pre.wp-block-code,pre.highlighted-code,pre.sourceCode,pre{border:1px solid var(--code-color);width:90%;background-color:var(--code-bg);color:var(--code-color);margin:1em;padding:2em;overflow-x:scroll;font-family:var(--code-font);font-size:10.5pt;line-height:1.1em;text-wrap:nowrap !important;box-shadow:5px 5px 13px 0 var(--code-bg)}* kbd,* code,* tt{font-family:var(--code-font);padding-inline:.5em;color:var(--code-dim);font-size:85%}pre code{color:var(--code-color);font-size:90%}pre.highlighted-code span{font-family:var(--code-font);font-size:10.5pt;color:var(--code-color)}pre.highlighted-code span.comment{font-style:italic;color:var(--code-dim)}pre.highlighted-code span.keyword,pre.highlighted-code span.preproc{font-weight:bold;font-style:oblique}blockquote,blockquote *{font-size:1.375rem !important;font-style:italic !important}blockquote{border-left:.1rem solid;padding-left:1rem}mark,mark *{background-color:var(--highlight-color) !important}mark.ai-content,mark.ai-content *{background-color:var(--highlight-color-alt) !important;color:#fff !important}.cxzero-cve-block{border:1px solid var(--code-color,#0c1);padding:.5rem;p{padding:0;margin:0}span.vulndesc{display:block;font-size:.9rem;font-weight:400;font-style:italic}span.cvss::before{content:\"  \"}span.cvss{background:#fe0}span.cvss.critical{background:#c00;color:#eee}span.cvss.high{background:#ffac1c;color:#0015ff}span.vector::before{content:\"\u25b8\"}span.vector,span.vector *{overflow-wrap:break-word;font-family:var(--code-font);font-size:10pt}.kev{display:block;font-weight:bold}.kev::before{content:\"\u203c\ufe0f\"}}.print-source-info{display:none}@media print{.header,.header *,.article-nav,.article-nav *,.aticle-nav,.aticle-nav *,.section_latest,.section-latest *,footer,footer *,.section-menu-page,.section-menu-page *,.top-menu,.top-menu *,.top-menu__container,.top-menu__container *,.section-zero-article,.section-zero-article *{display:none}@page{margin:13mm !important}.section-aticle-header__image-or-video{max-width:125mm}.print-source-info{display:block;border-left:.2rem solid #000;font-style:italic !important;font-size:85%;padding-left:1rem}}<\/style> <script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script> <script>hljs.highlightAll();<\/script> \n\n\n\n<p class=\"print-source-info\"><script>document.write(\"Copyright Checkmarx, all rights reserved. Retrieved \"+new Date().toLocaleDateString()+\" from<br\/>\"+window.location.href);<\/script><noscript>This document copyright Checkmarx, all rights reserved.<\/noscript><\/p>\n\n\n\n<p>React, a JavaScript library for building user interfaces, and one of the most widely used NPM libraries with over 50M weekly downloads, released an <a href=\"https:\/\/react.dev\/blog\/2025\/12\/03\/critical-security-vulnerability-in-react-server-components\">advisory<\/a> (<a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-55182\/\">CVE-2025-55182<\/a>, CVSSv3.1 = 10.0) on December 3, 2025, warning users that the React Server Components (RSC), including the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack NPM packages, are vulnerable to a Remote Code Execution (RCE) attack. This vulnerability, now referred to as <strong>React2Shell<\/strong> in the security community, allows an unauthenticated attacker to craft a malicious HTTP request to any Server Function endpoint and trigger insecure deserialization, leading to remote code execution on the server.<\/p>\n\n\n\n<p style=\"border: 0.1rem solid; padding: 0.5rem;\">Mitigation of this risk is difficult; upgrade following the guide in the table below<\/p>\n\n\n\n<p>Even if no specific endpoints are in use, supporting React Server Components can leave users vulnerable, further increasing the criticality of this issue.<\/p>\n\n\n\n<p>The scope of React2Shell extends beyond React, affecting Next.js, a full-fledged React framework and one of the most widely used JavaScript frameworks with over 130k GitHub stars, as well as other projects that use React or Next.js.<\/p>\n\n\n    <button class=\"subscribe-button\">\n\t\tGet Checkmarx Zero in your Inbox        <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n    <\/button>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>Below, we share a table of the main affected packages and the fixed versions.<\/p>\n\n\n\n<p>If your project uses any of the dependencies listed below, please update them to the latest version as specified in the corresponding update action. Most dependencies have a single update action, but Next.js includes separate update actions for each branch.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody>\n<tr>\n<td><strong>Project<\/strong><\/td>\n<td><strong>Affected branches<\/strong><\/td>\n<td><strong>Fixed versions<\/strong><\/td>\n<td><strong>Update Action<\/strong><\/td>\n<\/tr>\n<tr>\n<td>React<\/td>\n<td>19.0.x 19.1.x 19.2.x<\/td>\n<td>19.0.1 19.1.2 19.2.1<\/td>\n<td><code>npm install react@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>React Router<\/td>\n<td>All that contain the dependencies listed in the update action<\/td>\n<td>Any version in which the \u201cUpdate Action\u201d was executed<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-parcel@latest react-server-dom-webpack@latest @vitejs\/plugin-rsc@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>react-server-dom-parcel<\/td>\n<td>19.0.x 19.1.x 19.2.x<\/td>\n<td>19.0.1 19.1.2 19.2.1<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-parcel@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>react-server-dom-webpack<\/td>\n<td>19.0.x 19.1.x 19.2.x<\/td>\n<td>19.0.1 19.1.2 19.2.1<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-webpack@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>react-server-dom-turbopack<\/td>\n<td>19.0.x 19.1.x 19.2.x<\/td>\n<td>19.0.1 19.1.2 19.2.1<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-turbopack@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>Next.js<\/td>\n<td>14.3.0-canary 15.0.x<br>15.1.x<br>15.2.x<br>15.3.x<br>15.4.x<br>15.5.x<br>16.0.x<\/td>\n<td>14.3.0-canary.88 15.0.5<br>15.1.9<br>15.2.6<br>15.3.6<br>15.4.8<br>15.5.7<br>16.0.7<\/td>\n<td>One of:<br><code>npm install next@14 <\/code><br><code>npm install next@15.0.5 <\/code><br><code>npm install next@15.1.9 <\/code><br><code>npm install next@15.2.6 <\/code><br><code>npm install next@15.3.6 <\/code><br><code>npm install next@15.4.8 <\/code><br><code>npm install next@15.5.7 <\/code><br><code>npm install next@16.0.7<\/code>\n<\/td>\n<\/tr>\n<tr>\n<td>@vitejs\/plugin-rsc<\/td>\n<td>All<\/td>\n<td>0.5.3<\/td>\n<td><code>npm install react@latest react-dom@latest @vitejs\/plugin-rsc@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>Redwood SDK<\/td>\n<td>All<\/td>\n<td>1.0.0-beta36<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-webpack@latest rwsdk@latest<\/code><\/td>\n<\/tr>\n<tr>\n<td>Waku<\/td>\n<td>All<\/td>\n<td>0.27.3<\/td>\n<td><code>npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest<\/code><\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\n<p class=\"caption\">Note that this is only an overview of affected packages that were already disclosed by official sources. Any other application using React Server Components by importing a vulnerable version or bundling vulnerable code is likely affected as well.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\">How is React Impacted?<\/h2>\n\n\n\n<p>In the blog post shared by the React team, it\u2019s clear that React2Shell originates in the <strong>React Server Components (RSC)<\/strong>. RSC is a feature that allows React components to run exclusively on the server, offering significant performance benefits and giving developers greater flexibility in how their components behave.<\/p>\n\n\n\n<p><strong>Server Components<\/strong> can expose specific functions that <strong>Client Components<\/strong> can call asynchronously. These are known as <strong>Server Functions<\/strong>. To achieve this communication between server and client components, React implemented the <strong>Flight Protocol<\/strong>, an internal serialization format that transmits rendered components and data. The Flight protocol handles two critical flows:<\/p>\n\n\n\n<p><strong>Server-to-Client Flow (Standard)<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Server renders components and serializes output<\/li>\n\n\n\n<li>Flight protocol streams data packets to the client<\/li>\n\n\n\n<li>Client deserializes and renders UI<\/li>\n<\/ul>\n\n\n\n<p><strong>Client-to-Server Flow (Reply Flow)<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Client serializes form submissions or function calls<\/li>\n\n\n\n<li>Flight protocol transmits data to the server<\/li>\n\n\n\n<li>Server deserializes and processes requests<\/li>\n<\/ul>\n\n\n\n<p>To simplify, when a Client Component calls a Server Function, React translates that call into an HTTP request that is forwarded to the server. On the server, React translates the HTTP request into a function call, via deserialization, and returns the needed data to the client. This is achieved through the Flight protocol.<\/p>\n\n\n\n<p>Since React translates these server functions into HTTP requests and deserializes the request on the server side, we can already picture how this can be exploited. It is possible for an unauthenticated attacker to craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Another Day, Another Deserialization Disaster<\/h3>\n\n\n\n<p>The vulnerability resides in the client-to-server reply flow, specifically in how the server deserializes incoming requests to resolve Server Actions\u2014functions that execute on the server in response to client interactions.<\/p>\n\n\n\n<p>React Server Actions enable client components to invoke server-side functions. When a client submits a form or calls a server action, React serializes the request using a specific format:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-react\">$ACTION_ID: \"module-id#export-name\"\n<\/code><\/pre>\n\n\n\n<p>The server receives this identifier and uses it to resolve the corresponding function. This process involves three steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Parse the action ID<\/strong> &#8211; Split on &#8216;#&#8217; to extract module ID and export name<\/li>\n\n\n\n<li>\n<strong>Load the module<\/strong> &#8211; Use __webpack_require__ to load the module<\/li>\n\n\n\n<li>\n<strong>Access the export<\/strong> &#8211; Retrieve the function using bracket notation: moduleExports[exportName]<\/li>\n<\/ul>\n\n\n\n<p>The vulnerability exists in step 3\u2014accessing the export. Here&#8217;s the actual vulnerable code from React&#8217;s Flight protocol implementation in the `<a href=\"https:\/\/github.com\/facebook\/react\/blob\/v19.0.0\/packages\/react-server-dom-webpack\/src\/client\/ReactFlightClientConfigBundlerWebpack.js#L230-L252\"><code>requireModule<\/code><\/a>` function:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>export function requireModule&lt;T&gt;(metadata: ClientReference&lt;T&gt;): T {\n  let moduleExports = __webpack_require__(metadata&#91;ID]);\n  if (isAsyncImport(metadata)) {\n    if (typeof moduleExports.then !== 'function') {\n      \/\/ This wasn't a promise after all.\n    } else if (moduleExports.status === 'fulfilled') {\n      \/\/ This Promise should've been instrumented by preloadModule.\n      moduleExports = moduleExports.value;\n    } else {\n      throw moduleExports.reason;\n    }\n  }\n  if (metadata&#91;NAME] === '*') {\n    \/\/ This is a placeholder value that represents that the caller imported this\n    \/\/ as a CommonJS module as is.\n    return moduleExports;\n  }\n  if (metadata&#91;NAME] === '') {\n    \/\/ This is a placeholder value that represents that the caller accessed the\n    \/\/ default property of this if it was an ESM interop module.\n    return moduleExports.__esModule ? moduleExports.default : moduleExports;\n  }\n  return moduleExports&#91;metadata&#91;NAME]];\n\/\/\/....\n}<\/code><\/pre>\n\n\n\n<p>The issue is in the final line <code>moduleExports[metadata[NAME]]<\/code>.<\/p>\n\n\n\n<p>Because React&#8217;s code didn&#8217;t verify that the requested property was an own property of the module (meaning a property defined directly on the module object, not inherited), attackers could access these inherited properties, including methods outside the object&#8217;s property scope that should never be accessible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\">Exploiting the React2Shell vulnerability<\/h2>\n\n\n\n<p>Modern JavaScript applications commonly bundle dangerous Node.js modules for legitimate purposes. These modules become part of the webpack bundle during the build process.<\/p>\n\n\n\n<p>When these modules exist in the webpack bundle, their exports become accessible through the module resolution mechanism. However, only modules already in the bundle can be exploited\u2014attackers cannot load external modules from outside the bundle&#8217;s scope. Since dangerous modules are often included directly or as transitive dependencies, they commonly exist in production bundles. An attacker can craft a request that specifies one of these dangerous modules to achieve code execution:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code class=\"language-react\">$ACTION_ID: \"vm#runInThisContext\"<\/code><\/pre>\n\n\n\n<p>This instructs React to:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Load the <code>vm<\/code> module (legitimate module in the bundle)<\/li>\n\n\n\n<li>Access <code>vm['runInThisContext']<\/code> (legitimate export of vm module)<\/li>\n\n\n\n<li>Return the <code>runInThisContext<\/code> function to be invoked<\/li>\n<\/ol>\n\n\n\n<p>The vm.runInThisContext function executes arbitrary JavaScript code in the current context\u2014giving the attacker full code execution capabilities on the server.<\/p>\n\n\n\n<p>Similarly, attackers can target:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<code>child_process#execSync<\/code> &#8211; Execute arbitrary shell commands<\/li>\n\n\n\n<li>\n<code>fs#readFileSync \/ fs#writeFileSync<\/code> &#8211; Read or write arbitrary files<\/li>\n<\/ul>\n\n\n\n<p>The presence of even one of these modules in the webpack bundle is sufficient for exploitation. Given how commonly these modules are included as transitive dependencies, the attack surface is significant.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\">How is Next.js Impacted?<\/h2>\n\n\n\n<p>Next.js is a comprehensive React framework and one of the most popular JavaScript frameworks, with over 130k GitHub stars. Because Next.js is built on top of React, it is also affected by React2Shell.<\/p>\n\n\n\n<p>However, Next.js can be considered just another project impacted by the underlying React issue since it does not introduce any unique risks or behaviors beyond those already present in React itself.<\/p>\n\n\n\n<p>To address the vulnerability in Next.js, the team released a commit (<a href=\"https:\/\/github.com\/vercel\/next.js\/commit\/b1a04a84e991b48b6558d15841b86f3017878607\">b1a04a8<\/a>) that updated their compiled internal React code to incorporate the fix provided by React. Additionally, they upgraded the vulnerable React dependency packages to versions that include the patch.<\/p>\n\n\n\n<p>To remediate the vulnerability in Next.js, check the branch you are currently using and upgrade to one of the versions found in the table at the top of this page.<\/p>\n\n\n\n<p>Initially, <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2025-66478\/\">CVE-2025-66478<\/a> was issued for the vulnerability in Next.js, but it was quickly rejected. The reason is that the vulnerability resides in the compiled React code included within Next.js. Since Next.js itself is not directly vulnerable, CVE-2025-66478 is considered a duplicate of CVE-2025-55182.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"794\" height=\"468\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/image.png\" alt=\"\" class=\"wp-image-105984\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/image.png 794w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/image-300x177.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/image-768x453.png 768w, https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/image-400x236.png 400w\" sizes=\"(max-width: 794px) 100vw, 794px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE\u2019s Rejection of CVE-2025-66478 (duplicate of CVE-2025-55182)<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\">Conclusion<\/h2>\n\n\n\n<p>React2Shell (CVE-2025-55182) is undeniably a critical security issue. Not only because of its CVSS score of 10, which underscores its technical severity, but also because of the widespread usage of the affected projects. This vulnerability is an unauthenticated remote code execution issue in one of the most popular and widely used JavaScript libraries, React. Its reach extends beyond React itself since Next.js, one of the most popular JavaScript frameworks, is also affected by this vulnerability.<\/p>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Get more like this in your inbox<\/div>\n                <button class=\"section-article-button\">Subscribe to Checkmarx Zero                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<p>This is one of the most critical types of security vulnerabilities, impacting a large portion of the JavaScript ecosystem. The community is calling this vulnerability React2Shell because, like Log4Shell, it enables unauthenticated remote code execution and has similarly broad impact, severity, and reach across the ecosystem.<\/p>\n\n\n\n<p>We at Checkmarx encourage all users to review their projects and dependencies and follow the table at the top of this page to guide you on how to properly remediate this vulnerability. <a href=\"https:\/\/checkmarx.com\/cxsca-open-source-scanning\/\">SCA tools<\/a> like the one available in <a href=\"https:\/\/checkmarx.com\/product\/application-security-platform\/\">the Checkmarx One platform<\/a> will detect affected projects and suggest proper remediation actions.<\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>","protected":false},"excerpt":{"rendered":"<p>React2Shell (CVE-2025-55182) is a critical unauthenticated RCE vulnerability in React and Next.js caused by insecure deserialization, putting a large number of applications at immediate risk.<\/p>\n","protected":false},"author":138,"featured_media":105985,"template":"","zero-category":[1067],"zero-tag":[],"class_list":["post-105983","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-blog"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"React2Shell (CVE-2025-55182) is a critical unauthenticated RCE vulnerability in React and Next.js caused by insecure deserialization, putting a large number of applications at immediate risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-27T18:39:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\",\"name\":\"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp\",\"datePublished\":\"2025-12-04T19:54:50+00:00\",\"dateModified\":\"2026-02-27T18:39:26+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp\",\"width\":2560,\"height\":1280},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/","og_locale":"en_US","og_type":"article","og_title":"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx","og_description":"React2Shell (CVE-2025-55182) is a critical unauthenticated RCE vulnerability in React and Next.js caused by insecure deserialization, putting a large number of applications at immediate risk.","og_url":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-02-27T18:39:26+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/","url":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/","name":"React2Shell (CVE-2025-55182) Deserialization to Remote Code Execution in React and Next.js - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp","datePublished":"2025-12-04T19:54:50+00:00","dateModified":"2026-02-27T18:39:26+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/react2shell-cve-2025-55182-deserialization-to-remote-code-execution-in-react-and-next-js\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2025\/12\/cxzero-feature-react2shell.webp","width":2560,"height":1280},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/105983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/105985"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=105983"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=105983"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=105983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}