Joseph Lee

React2Shell: A Critical React and Next.js Flaw Is Actively Exploited

On December 3rd 2025, a new maximum CVSS software flaw affecting React (aka ReactJS), exploded onto the cybersecurity landscape. Dubbed React2Shell, CVE-2025-55182 is already actively exploited. Users are urged to verify their exposure and patch immediately if affected. React is the most popular JavaScript library for building modern web-application user interfaces (UIs) implying that the global impact could be widespread. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, such as React2Shell.

Critical: React2Shell

CVE-2025-55182 (CVSS 10.0) allows unauthenticated server-side remote code execution (RCE) in default configurations of React 19. The flaw exists in the React Server Components (RSC) “Flight” protocol. RSC is a framework and set of libraries that enable React 19 apps to pass application logic back to the server for processing rather than execution in the client browser. The Flight protocol is React’s serialization format for transporting RSC payloads.

React2Shell allows Flight payloads to be unsafely deserialized on the server [CWE-502], enabling unauthenticated shell command execution. Exploitation potentially offers attackers full compromise of the target, including remote control.
                       

The threat landscape is active and escalating. AWS was the first cloud vendor to attribute active exploitation. Since then, multiple IaaS vendors have reported active attacks. Reports have uncovered campaigns seeking to install remote access tools [T1219], proxy traffic relays [T1090], and botnet agents [T1583.004], and to leverage infected hosts for cryptocurrency mining [T1496]. GreyNoise has tracked hundreds of unique IP addresses attempting exploitation and The Shadowserver Foundation reports ~160,000 vulnerable instances globally.

The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) list, and numerous other national CERT alerts have been issued globally for CVE-2025-55182 [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]. Several public PoC exploits are available [18][19][20], including one from Lachlan Davidson [21], the security researcher who identified and disclosed the React2Shell flaw. These public PoCs increase the risk of evolving attacks.

How Does React2Shell (CVE-2025-55182) Work?

JavaScript prototype pollution [CWE-1321] was found to be possible in React 19 because the deserialization logic did not sufficiently validate serialized object parameters. When RSC reconstructs JavaScript objects from Flight payloads, attacker-controlled special keys can misconfigure the prototype chain. This can cause runtime changes beyond the immediately reconstructed object. In the case of CVE-2025-55182, this includes calling native Node.js functions such as child_process.execSync to execute shell commands on the target server.

What Products Are Affected by React2Shell (CVE-2025-55182)?

According to official advisories from React [1][2], React2Shell impacts the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack components of React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. These components are enabled in the default configuration. React2Shell also impacts major frameworks that include React 19’s RSC, such as the very popular Next.js web framework.

React 19.0.0, released on December 5th 2024, was the first release to include non-experimental RSC functionality. This means that CVE-2025-55182 largely affects newer websites and organizations that diligently upgrade their web server infrastructure. Because RSC are enabled by default, all endpoints are potentially vulnerable, even if the Server Functions are not implemented.

According to the official react.dev blog post, other affected frameworks include:

Mitigating React2Shell (CVE-2025-55182)

Website back-end developers should assess their infrastructure to determine whether React 19 is part of their web stack. To detect vulnerable instances, the OPENVAS ENTERPRISE FEED includes a remote version check for Vercel Next.js and an active check that sends an HTTP request to verify whether targets are vulnerable.

The strongest mitigation is to upgrade to a patched version of React in your release line. These are React 19.0.1, 19.1.2, or 19.2.1. Exploitation can also be mitigated via web-application firewall (WAF), and many cloud IaaS providers have published WAF rules for mitigation [1][2][3][4][5].

The patched versions of React and Next.js for each release line are:

Users of Next.js 14.3.0-canary.77 or a later canary release should downgrade to the latest stable 14.x release. According to the official advisory from Next.js, Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected. Instructions for updating other affected third-party frameworks are available in React’s official advisory.

Summary

React2Shell (CVE-2025-55182) is a CVSS 10.0, unauthenticated RCE in the React 19 Server Components Flight protocol. The root cause is unsafe server-side deserialization in the Flight protocol. React2Shell also impacts major frameworks that include React 19’s RSC, such as the very popular Next.js web framework.

The vulnerability is considered actively exploited, with publicly available PoCs and a broad number of national CERT advisories globally. Defenders should conduct an exposure assessment and if possible implement WAF rules to temporarily mitigate exploitation, while planning urgent upgrades to patched versions of React 19, and other affected frameworks in use. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as React2Shell.

Contact Test Now Buy Here Back to Overview
/by