A critical remote code execution flaw, tracked as CVE-2025-55182 and dubbed React2Shell, affects React Server Components in the React 19 ecosystem and popular frameworks like Next.js.
Attackers can exploit it via unauthenticated HTTP requests to execute arbitrary code on servers, rated at CVSS 10.0.
Default configurations of standard applications remain at risk until patched, with public exploits now circulating and active attacks confirmed.
The vulnerability originates in the react-server package’s handling of the React Server Components (RSC) “Flight” protocol.
Servers process incoming RSC payloads, which represent server-rendered components sent over HTTP.
Due to inadequate validation, a crafted, malformed payload slips through deserialization checks.
This allows attackers to manipulate server-side JavaScript execution paths, invoking privileged functions without authentication.
Exploitation targets endpoints for Server Functions or RSC streams. A remote attacker sends a specially crafted request that React incorrectly decodes, leading to code injection.
Researchers report near-perfect success rates in tests, as the flaw hits core payload logic used in production builds from tools like create-next-app.
Even apps without explicit Server Functions can be exposed if RSC support exists.
| Affected Product | Vulnerable Versions | Patched Versions |
|---|---|---|
| react-server-dom-* | 19.0.x, 19.1.x, 19.2.x | 19.0.1, 19.1.2, 19.2.1 |
| Next.js (App Router) | 14.3.0-canary.77+, 15.x, 16.x | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 |
| Other (e.g., Vite RSC, React Router) | Bundling vulnerable react-server | Latest framework updates |
Exploitation surged after public proof-of-concepts emerged around December 4, 2025.
Security firms like Wiz, GreyNoise, and AWS report widespread scans and compromises starting December 5, targeting exposed Next.js apps and Kubernetes pods.
Attackers pivot post-breach to steal cloud credentials from metadata services, deploy XMRig cryptominers, or install malware like Sliver.
Wiz scans show that 39% of cloud environments host vulnerable instances, and 44% expose public Next.js apps.
Patch immediately by upgrading React packages and frameworks to the listed versions via npm.
For Next.js, run targeted installs, such as npm install next@15.0.5, based on your line.
Temporarily turn off RSC endpoints if patching delays occur, and scan inventories for exposures tools from Wiz, Dynatrace, and others help detect vulnerable deployments and anomalous post-exploit activity.
Google Cloud images escape the default impact. Organizations must prioritize this outside regular cycles, as China-nexus groups and opportunists accelerate targeting.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…