React2Shell (CVE-2025-55182): Critical RCE Impacting React and Next.js
- Alex Waintraub
- 2 days ago
- 3 min read
This report was developed by the DTG Threat Management Team, with analysis contributions from Darrel Inness and Alex Waintraub.
Discovery and Disclosure
On December 3, 2025, the React team disclosed CVE-2025-55182, a maximum‑severity (CVSS 10.0) remote code execution vulnerability in React Server Components, now widely referred to as “React2Shell.” The flaw enables unauthenticated attackers to trigger server‑side code execution with a single crafted HTTP request against common React and Next.js deployments.
React2Shell was discovered and responsibly disclosed by security researcher Lachlan Davidson, who reported the issue to Meta’s bug bounty program on November 29, 2025. Davidson publicly documents the timeline and technical context on the dedicated react2shell site, confirming the initial private disclosure and subsequent coordinated release with the React and Vercel teams. This early, coordinated response allowed core maintainers and major cloud providers to prepare patches and mitigations before full public exploitation ramped up.
Technical Overview
CVE-2025-55182 is an unsafe deserialization flaw in the React Server Components “Flight” protocol, which is used to serialize component trees, state, and server function calls between browser and server. Vulnerable versions of the RSC stack insufficiently validate incoming Flight payloads, allowing attackers to smuggle crafted structures that reach privileged JavaScript objects and APIs on the server. Under the right conditions, this devolves into prototype pollution and access to dangerous primitives like child_process.execSync, resulting in full remote code execution.
Affected software includes React 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, as well as frameworks that embed RSC like Next.js, React Router, Waku, and others. Importantly, applications can be exposed even if developers never explicitly defined React Server Function endpoints, as default RSC support in frameworks like Next.js App Router still wires up vulnerable code paths.
Attack Flow and Exploitation
In typical attacks, threat actors first identify public RSC or Next.js endpoints such as /_next/flight or related data routes exposed by default framework wiring. They then send a malicious HTTP POST containing a syntactically valid but semantically crafted Flight payload that injects unexpected object properties or identifiers into the deserialization process. When processed, the server hydrates attacker-controlled structures into internal RSC execution paths, ultimately causing execution of arbitrary shell commands or code under the web server’s context.
Security vendors and threat intel teams have already observed mass scanning and active exploitation activity, including from China‑nexus groups such as Earth Lamia and Jackpot Panda, leveraging both public proof‑of‑concepts and iterative manual payload tuning. Public PoC repositories and exploit write‑ups surfaced within a day of coordinated disclosure, dramatically lowering the barrier for commodity attackers and ransomware operators.
Impact at Scale
Cloud and application security analyses indicate that React2Shell affects a substantial fraction of current production workloads, with one estimate placing vulnerable React/Next.js stacks in roughly 39% of observed cloud environments and nearly half of those directly internet‑exposed. Because the exploit is unauthenticated and low‑complexity, it cleanly maps to MITRE ATT&CK techniques Exploit Public‑Facing Application (T1190) and Command and Scripting Interpreter (T1059) as an Initial Access and Execution vector. Successful exploitation grants attackers arbitrary code execution on the underlying host or container, enabling data theft, lateral movement staging, cryptomining, or rapid ransomware deployment.
React has released patched versions 19.0.1, 19.1.2, and 19.2.1, and ecosystem maintainers such as Vercel have rolled out fixes and platform‑level mitigations for managed Next.js deployments. Nonetheless, self‑hosted and older environments remain at high risk until explicitly upgraded and validated.
DTG Recommendations
Immediate remediation:
Upgrade React to 19.0.1, 19.1.2, or 19.2.1, and update Next.js and all RSC‑dependent frameworks to their latest security‑patched releases.
Deploy emergency scans across internet‑facing assets to detect vulnerable RSC/Next.js endpoints and associated libraries.
Implement or update WAF rules to detect and block suspicious Flight payload patterns and anomalous POST bodies to /_next/flight and related routes.
Detection and incident response:
Hunt for unusual POST patterns, high‑entropy request bodies, or failed deserialization errors targeting RSC endpoints starting from December 3, 2025.
Correlate web logs with runtime telemetry for unexpected child_process or equivalent process‑spawn activity in React/Next.js services.
If exploitation is suspected, treat affected hosts as compromised: isolate, capture forensic images, rotate secrets, and review IAM roles and lateral movement paths.
Given the severity of CVE‑2025‑55182, the unauthenticated exploit path, and the rapid adoption by both state‑aligned and criminal actors, DTG classifies React2Shell as a Priority‑1 issue requiring immediate out‑of‑band patching and focused threat hunting.
Clients can contact DTG’s Incident Response team for tailored scanning, log review, and containment support aligned to their React and Next.js deployments.