Overview
CVE-2025-55182, dubbed React2Shell, is a critical unauthenticated remote code execution vulnerability in React Server Components (RSC). Disclosed on December 3rd, 2025, it carries a CVSS score of 10.0 — the maximum possible — and was actively exploited in the wild within days of public disclosure.
The vulnerability affects any application using React Server Components, with Next.js being the most widely impacted framework given its popularity.
Affected Versions
| Package | Vulnerable Versions | Patched Version |
|---|---|---|
| react-server | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| next | 13.3.x, 13.4.x, 13.5.x, 14.x | 14.2.35 |
The vulnerability also affects any framework bundling the react-server package, including React Router, Waku, RedwoodSDK, and Vite/Parcel RSC plugins.
Root Cause — Insecure Deserialization
React Server Components use a protocol called Flight to serialize and transmit component data between the server and client. The vulnerability lives in how the react-server package processes incoming Flight requests.
When a server receives a POST request containing a crafted, malformed Flight payload, it fails to properly validate the structure before deserializing it. Because the RSC architecture implicitly trusts data passed between its components, attacker-controlled input is deserialized and executed directly under the Node.js runtime.
In short — the server runs whatever you send it.
Key properties that make this particularly nasty:
- No authentication required — any unauthenticated attacker can exploit it
- Default configurations are vulnerable — a standard
create-next-appproduction build is exploitable with zero code changes - Single HTTP request — exploitation requires only one crafted POST request
- Near 100% reliability — researchers reported consistent exploitation success rates
Attack Flow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Attacker
│
└─► POST /api/endpoint HTTP/1.1
Content-Type: text/x-component
Body: [malformed RSC Flight payload]
│
▼
react-server deserializes payload
│
▼
Attacker-controlled JS executes
under Node.js on the server
│
▼
RCE achieved ✓
Post-Exploitation Activity Observed in the Wild
Google Threat Intelligence and others observed multiple distinct campaigns exploiting this vulnerability shortly after public PoC release. Post-exploitation activity included:
- Reconnaissance — Base64-encoded commands to fingerprint OS (
uname), privilege level (id), and network interfaces (hostname) - Credential harvesting — enumeration of the filesystem for secrets and
.envfiles - Crypto miners — XMRIG deployment was the most common opportunistic payload
- Backdoors — more targeted campaigns deployed HISONIC and COMPOOD backdoors
- Downloaders — SNOWLIGHT downloader and MINOCAT tunneler observed in espionage-linked campaigns
Wiz Research observed exploitation beginning as early as December 5th, 2025, roughly 48 hours after public disclosure.
Detection
Look for anomalous POST requests to Server Function endpoints with text/x-component content types, particularly from unexpected sources. Suspicious post-exploitation indicators include:
1
2
3
4
5
6
7
8
# Processes spawned by Node.js that shouldn't be
node -> sh -> curl/wget -> [external IP]
node -> sh -> uname -a
node -> sh -> id
node -> sh -> cat /etc/resolv.conf
# Unexpected outbound connections from web server processes
# Review logs for curl/wget initiated by node processes
Remediation
Patch immediately. There is no workaround — upgrading is the only fix.
1
2
3
4
5
6
7
8
9
10
11
12
# Next.js
npm install next@14.2.35
# React packages
npm install react@19.0.1 react-dom@19.0.1
# or
npm install react@19.1.2 react-dom@19.1.2
# or
npm install react@19.2.1 react-dom@19.2.1
# Quick automated patch for Next.js
npx fix-react2shell-next
After patching and redeploying, rotate all application secrets — any environment variables, API keys, or credentials accessible to the server process should be considered compromised if the application was exposed while unpatched.
Follow-On CVEs
As is common after high-profile disclosures, increased scrutiny led to additional vulnerabilities being found in the same codebase:
| CVE | Severity | Type | Patched In |
|---|---|---|---|
| CVE-2025-55183 | Medium (5.3) | Source code exposure | 19.2.2 |
| CVE-2025-55184 | High (7.5) | Denial of Service | 19.2.3 |
| CVE-2025-67779 | High (7.5) | DoS (incomplete fix for 55184) | 19.2.3 |
| CVE-2026-23864 | High (7.5) | DoS (additional cases) | 19.0.4, 19.1.5, 19.2.4 |
Takeaways
React2Shell is a textbook example of why insecure deserialization consistently makes the OWASP Top 10. The RSC Flight protocol trusted serialized data from the network without sufficient validation — a fundamental design oversight that resulted in the worst possible CVSS score.
The fact that default configurations were vulnerable means the blast radius was enormous. With Next.js present in roughly 20% of web applications and 39% of cloud environments containing vulnerable React versions, this was as close to a mass exploitation event as it gets.
If you’re running any Next.js or React Server Components application — patch, rotate secrets, and review your logs.