📌 React2Shell (CVE-2025-55182)
React2Shell is the informal name given to a critical Remote Code Execution (RCE) vulnerability affecting React Server Components (RSC) and related frameworks like Next.js. Its severity and potential impact have made it a major concern in the web development and security communities. react2shell.com +1
🧠 1. What Is React2Shell?
Name: React2Shell
CVE ID: CVE-2025-55182 (often discussed together with CVE-2025-66478, a duplicate Next.js CVE) react2shell.com +1
Severity: Maximum (CVSS score 10.0) react2shell.com
Type: Remote Code Execution (RCE) via unsafe deserialization in server components Microsoft
Origin: Disclosed by Lachlan Davidson in late November 2025 and publicly announced in early December 2025. Amazon Web Services, Inc.
React2Shell is named with a nod to past major vulnerabilities like Log4Shell, due to its widespread impact potential on web applications. research.jfrog.com
🧰 2. Affected Systems
React2Shell impacts React Server Components (RSC) and any ecosystem that implements them, including:
React 19.x server component packages
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Frameworks built on RSC like:
Next.js (App Router)
React Router
Waku
Expo
Redwood SDK (depending on how RSC is used) Dynatrace +1
React2Shell lets an attacker send a specially crafted HTTP request to a React Server Component endpoint. Because of flawed input validation and unsafe deserialization in the RSC “Flight” protocol, that malicious data can be deserialized and lead to full remote code execution on the server — even without authentication. Microsoft +1
This means a hacker can:
Run arbitrary code on your server
Steal data or credentials
Deploy malware or cryptominers
Move laterally inside networks (All without a login) sysdig.com
🛠 4. How Exploits Work
The core weakness lies in how React Server Components deserialize incoming payloads using the Flight protocol. Attackers craft a payload that manipulates the internal handling logic, bypassing normal trust checks — leading to command execution on the host. Qualys
There are even public proof-of-concept (PoC) exploits and scanners available to detect vulnerable setups. GitHub
🚨 5. Real-World Exploitation
React2Shell has already seen active exploitation in the wild:
State-linked groups (e.g., China-nexus actors) have been observed targeting vulnerable endpoints soon after disclosure. TechRadar
Threat intelligence from multiple vendors indicates campaigns deploying cryptominers, backdoors, and post-exploit tools after successful exploitation. Google Cloud
This rapid weaponization is similar to high-profile bugs like Log4Shell, where attackers quickly scanned for and exploited exposed systems. PortSwigger
🧩 6. Affected Versions & Fixed Releases Vulnerable Versions
React RSC packages:
19.0, 19.1.0, 19.1.1, 19.2.0
Next.js App Router versions below:
15.0.5, 15.1.9, etc., up to certain 16.x releases (specific list varies by advisory) Dynatrace
Patched Versions (recommended)
React Server Components:
19.0.1
19.1.2
19.2.1
Next.js:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 (per official advisories) Dynatrace
🛡 7. Mitigation & Best Practices
To defend against React2Shell:
Update dependencies immediately to the patched versions above. Dynatrace
Audit your codebase for RSC usage and isolate or remove unneeded server functions.
Use security tools (WAF, SIEM, vulnerability scanners) to detect abnormal requests. Microsoft
Monitor publicly disclosed exploit detection signatures (e.g., payload patterns). Vercel
🧾 8. Summary
React2Shell is:
A critical RCE bug in React Server Components and related stacks. react2shell.com
Exploitable without authentication, just via crafted requests. Microsoft
Actively exploited in the wild by multiple threat actors. Google Cloud
Fixed in later versions — patch immediately. Dynatrace