December 8th, 2025

React2Shell: Critical React Server Components RCE Exploited in the Wild (CVE-2025-55182)

Critical

Our Cyber Threat Intelligence Unit is monitoring CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC), commonly called React2Shell. Publicly disclosed on December 3, 2025, the vulnerability allows unauthenticated attackers to run arbitrary server-side JavaScript code through maliciously crafted HTTP requests. The issue stems from unsafe deserialization in React’s Flight protocol and affects the react-server-dom-* packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Frameworks that bundle these components, including Next.js App Router (15.x, 16.x, and relevant canary builds), are also vulnerable. Valid public PoCs, automated scans, and confirmed exploits in the wild started appearing soon after disclosure, prompting CISA to list the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025. With a CVSS score of 10.0 and a broad ecosystem footprint, organizations should treat this as a high-priority emergency patch.

Technical Details

CVE IDs:
- CVE-2025-55182 – React Server Components RCE (React / RSC)
- CVE-2025-66478 – Next.js App Router RCE (assigned to Next.js and later marked as a duplicate of CVE-2025-55182 in NVD).
CVSS Score: 10.0 (critical).
Affected Components:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
  - Versions: 19.0, 19.1.0, 19.1.1, 19.2.0
- Impacted frameworks include Next.js App Router (15.x/16.x), RSC-enabled React Router builds, Waku, and RSC integrations in Vite/Parcel plugins.
  - Next.js 13.x, 14.x stable releases, Pages Router applications, and the Edge Runtime are not affected.
Root Cause:
- Unsafe deserialization in the Flight protocol allows attacker-controlled payloads to be interpreted as executable server-side logic.
- The requireModule function in react-server-dom-webpack fails to enforce strict structure validation.
- This allows an attacker to manipulate module resolution and trigger execution via Node.js’s vm.runInThisContext.
Attack Chain / Method:
- Initial attack vector: A specially crafted, malformed HTTP payload delivered in an HTTP POST request to a Server Function / RSC endpoint.
- Exploitation method: The vulnerability originates from an issue in the logical unsafe deserialization in the RSC Flight protocol.
  - The requireModule function in react-server-dom-webpack fails to correctly validate the structure of decoded RSC payloads, allowing attacker-controlled data to influence how modules and server functions are resolved and executed.
- Payload delivery mechanism: Upwind’s analysis shows that an attacker can craft a malicious Flight payload in a POST request that triggers a “Server Action” and causes React to invoke vm.runInThisContext with attacker-controlled input, resulting in execution of arbitrary JavaScript code with the privileges of the Node.js process.
- Post-compromise behavior: Successful exploitation allows arbitrary server-side code execution, facilitating complete server compromise, deployment of additional payloads (webshells, backdoors), credential theft, and lateral movement within the environment.
  - Because this is a deterministic logic vulnerability rather than a memory-safety bug, exploitation is highly reliable.
Patch Availability:
- React RSC packages patched in 19.0.1, 19.1.2, 19.2.1.
- Next.js patched in 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, 15.0.5.

Impact

Full Server Compromise: Successful exploitation results in arbitrary code execution under the privileges of the server process, allowing credential theft, data exfiltration, malware deployment, and lateral movement.
Large-Scale Exposure: RSC and Next.js App Router are heavily adopted across enterprise and cloud-native environments; early scans identified extensive internet-facing exposure.
Supply-Chain Risk: Many frameworks bundle vulnerable RSC components implicitly, making applications susceptible even when React Server Components are not directly declared.
High Automation Potential: The exploit requires only a single crafted request and lends itself to botnet-driven mass exploitation.

Detection Method

Organizations should focus on both dependency-level and behavioral indicators:

Inventory review: Identify use of react-server-dom-* packages or frameworks bundling them (Next.js App Router, RSC-enabled toolchains).
Log analysis: Flag malformed or unusual POST requests hitting RSC or Server Action endpoints, especially Flight-like serialized payloads.
Runtime monitoring: Detect abnormal Node.js activity; unexpected process spawning, file writes, or outbound network connections.
WAF defenses: Block requests containing suspicious serialized data structures targeting RSC endpoints.

Indicators of Compromise

There are No Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Patch Immediately: Upgrade React RSC packages to 19.0.1+ / 19.1.2+ / 19.2.1+ and update Next.js App Router deployments to the latest fixed versions.
Audit & Rebuild: Review all projects, including backend services, SSR layers, and microservices, for bundled RSC components. Rebuild and redeploy after patching.
Harden Exposure: Restrict network access to SSR/RSC endpoints, apply WAF rules, and validate incoming request payloads.
Enhance Runtime Security: Deploy RASP/WAF/EDR solutions capable of detecting anomalous Node.js execution and unexpected system calls.
Enable Comprehensive Logging: Ensure complete request/response logging on reverse proxies and application servers to support rapid detection and response.

Conclusion

CVE-2025-55182 (React2Shell) is a critical, deterministic remote-code-execution vulnerability in React Server Components and frameworks such as Next.js App Router. Because exploitation is pre-authentication, highly reliable, and present in default configurations across widely deployed frameworks, it poses an immediate and severe risk to internet-facing and internal web infrastructure. Organizations should prioritize rapid patching of React and Next.js, aggressively audit dependencies, harden network exposure to RSC endpoints, and deploy runtime monitoring and detections to reduce the likelihood and impact of compromise.

References

https://www.offsec.com/blog/cve-2025-55182/

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/

https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478-next/