React2Shell: The Critical RCE Vulnerability in React Server Components (CVE-2025-55182)
A CVSS 10.0 vulnerability that every Next.js and React developer needs to understand—and patch immediately.
Why This Matters
On December 3, 2025, the React team disclosed a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components. With a CVSS score of 10.0 (the maximum possible severity), this flaw allows attackers to execute arbitrary code on your server without any authentication.
If you're using Next.js 15.x, 16.x, or any framework that leverages React Server Components with the App Router, your application may be vulnerable right now. Proof-of-concept exploits are publicly available, and threat actors have already been observed exploiting this in the wild.
The vulnerability has been dubbed "React2Shell" by the security community—a nod to the infamous "Shellshock" vulnerability, reflecting its severity and ease of exploitation.
Understanding the Vulnerability
What Are React Server Components?
React Server Components (RSC) represent a paradigm shift in how React applications render. Instead of rendering everything on the client, RSC allows components to execute on the server, streaming serialized data to the client via what React calls the "Flight" protocol.
Server Functions (also called Server Actions) are a key part of this architecture—they allow client-side code to invoke server-side functions through HTTP requests.
The Flaw: Unsafe Deserialization
The vulnerability exists in how React deserializes payloads sent to Server Function endpoints. Here's the attack flow:
- Attacker crafts malicious HTTP request — A specially formatted payload targeting a Server Function endpoint
- Server receives and deserializes — React's Flight protocol parser processes the malicious payload
- Arbitrary code execution — Due to unsafe deserialization, the attacker's code executes with server privileges
- Full system compromise — Filesystem access, credential theft, persistent backdoors
The critical issue: React did not properly validate or sanitize incoming payloads before deserializing them. This is a classic "deserialization vulnerability" pattern that has plagued many frameworks over the years.
Why Authentication Doesn't Help
The vulnerability is pre-authentication—meaning the attacker doesn't need to log in or have any valid credentials. Simply sending a crafted HTTP request to any endpoint that supports Server Functions is enough.
Even if your app doesn't explicitly define Server Functions, you may still be vulnerable if your app supports React Server Components.
Affected Versions and Frameworks
Core React Packages
The vulnerability affects React versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 in these packages:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Frameworks and Bundlers
If you use any of these, you're affected:
| Framework/Package | Action Required |
|---|---|
| Next.js 13.3+ | Upgrade immediately (see below) |
| Next.js 14.x | Upgrade to 14.2.35+ |
| Next.js 15.x | Upgrade to patched version |
| Next.js 16.x | Upgrade to patched version |
| React Router (unstable RSC APIs) | Update dependencies |
| Waku | Update dependencies |
| Expo | Check changelog |
| Redwood SDK (rwsdk) | Upgrade to 1.0.0-alpha.0+ |
| @vitejs/plugin-rsc | Upgrade to latest |
| @parcel/rsc | Upgrade to latest |
How to Check If You're Affected
Run these commands in your project:
# Check your React version
npm list react react-dom
# Check for vulnerable RSC packages
npm list react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack 2>/dev/null
# Check Next.js version
npm list next
If you see any of the vulnerable versions listed, patch immediately.
Remediation: Step-by-Step Patching Guide
Next.js Applications
# For Next.js 14.x users
npm install next@14.2.35
# For Next.js 15.0.x users
npm install next@15.0.8
# For Next.js 15.1.x users
npm install next@15.1.12
# For Next.js 15.2.x users
npm install next@15.2.9
# For Next.js 15.3.x users
npm install next@15.3.9
# For Next.js 15.4.x users
npm install next@15.4.11
# For Next.js 15.5.x users
npm install next@15.5.10
# For Next.js 16.0.x users
npm install next@16.0.11
# For Next.js 16.1.x users
npm install next@16.1.5
Automated fix for Next.js:
npx fix-react2shell-next
Standalone RSC Packages
# Update all RSC-related packages
npm install react@latest react-dom@latest react-server-dom-webpack@latest
npm install react@latest react-dom@latest react-server-dom-parcel@latest
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
React Router with RSC APIs
npm install react@latest react-dom@latest react-server-dom-parcel@latest react-server-dom-webpack@latest @vitejs/plugin-rsc@latest
Waku
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
Temporary Mitigations (If You Can't Patch Immediately)
1. Web Application Firewall (WAF) Rules
Major cloud providers have deployed WAF rules:
-
Google Cloud Armor:
cve-canaryrule - AWS WAF: Check AWS managed rules
- Cloudflare: Review security rules
2. Disable Server Functions
If your application allows it, temporarily disable Server Functions:
// This is a temporary mitigation, NOT a fix
// Remove this after patching
// In next.config.js
module.exports = {
experimental: {
serverActions: false // Disables Server Actions
}
}
3. Block Malicious Request Patterns
Use middleware to detect and block suspicious payloads:
// middleware.js - Basic detection (NOT foolproof)
export function middleware(request) {
const contentType = request.headers.get('content-type') || '');
// RSC requests typically have specific content types
if (contentType.includes('text/x-component')) {
// Implement additional validation here
// This is NOT a complete fix - patch instead
}
return NextResponse.next();
}
⚠️ Warning: These mitigations are temporary. The only real fix is to patch your dependencies.
Related Vulnerabilities Discovered After Initial Fix
The React team disclosed additional vulnerabilities in December 2025 and January 2026:
CVE-2025-55184 (CVSS 7.5) - Denial of Service
- Pre-authentication DoS via infinite loop in Server Function deserialization
- Affects same packages as the RCE vulnerability
CVE-2025-67779 (CVSS 7.5) - Incomplete Fix
- Same impact as CVE-2025-55184
- Demonstrates why security patches need thorough review
CVE-2025-55183 (CVSS 5.3) - Source Code Exposure
- Information leak that can expose Server Function source code
- Requires specific conditions (argument exposed as string)
CVE-2026-23864 (CVSS 7.5) - January 2026
- Another DoS variant discovered after additional review
Make sure you're on the latest patched versions to cover all these vulnerabilities.
Real-World Attack Scenarios
Scenario 1: Public SaaS Application
A SaaS company running Next.js 15 with App Router exposes Server Functions for form submissions. An attacker:
- Discovers the
/api/actionendpoint - Crafts a malicious payload using publicly available PoC code
- Gains remote code execution
- Accesses customer database and exfiltrates data
Impact: Data breach, regulatory fines, reputation damage
Scenario 2: Internal Dashboard
A company's internal admin dashboard uses React Server Components. Though behind a VPN, an attacker:
- Compromises a single employee laptop
- Sends malicious request to internal dashboard
- Pivot to internal network from the web server
Impact: Lateral movement, further compromise
Scenario 3: E-commerce Platform
An online store's checkout process uses Server Actions. Attackers:
- Exploit the vulnerability to gain shell access
- Modify payment processing code
- Exfiltrate credit card data
Impact: PCI-DSS violation, customer trust destruction
FAQ
Q: I don't use Server Functions. Am I safe?
A: Not necessarily. If your app supports React Server Components at all, you're vulnerable—even without explicit Server Functions.
Q: How do I know if I'm using RSC?
A: Check for:
-
"use server"directives in your code - App Router usage in Next.js (
app/directory) - Dependencies on
react-server-dom-*packages
Q: Is client-side React affected?
A: No. If your React code runs only on the client (no server rendering, no RSC), you're not affected.
Q: What if I'm on React 18 or earlier?
A: You're not affected. This vulnerability is specific to React 19's Server Components implementation.
Q: Are there active exploits in the wild?
A: Yes. Security researchers have observed exploitation attempts shortly after disclosure. Proof-of-concept code is publicly available.
Q: Should I take my application offline until patched?
A: That depends on your risk tolerance. If you're handling sensitive data and cannot patch immediately, consider:
- Temporarily disabling the application
- Deploying WAF rules
- Disabling Server Functions
Security Best Practices Going Forward
1. Audit Your Dependencies Regularly
# Run security audits
npm audit
# Check for known vulnerabilities
npm audit fix
# Use tools like Snyk or Dependabot
2. Subscribe to Security Advisories
- GitHub Security Advisories
- React Blog
- Next.js Blog
- Your framework's security mailing list
3. Implement Defense in Depth
- WAF rules for known vulnerability patterns
- Rate limiting on Server Function endpoints
- Input validation at the application layer
- Monitoring for suspicious payloads
4. Have an Incident Response Plan
When a critical vulnerability drops:
- Identify affected systems immediately
- Assess risk and exposure
- Apply patches or mitigations
- Monitor for exploitation attempts
- Communicate with stakeholders
Conclusion
CVE-2025-55182 represents one of the most severe vulnerabilities in the React ecosystem's history. With a CVSS score of 10.0, active exploitation in the wild, and publicly available proof-of-concept code, this requires immediate action.
Key takeaways:
- Patch immediately — Upgrade to the fixed versions for your framework
-
Run the automated fix —
npx fix-react2shell-nextfor Next.js -
Verify your update — Confirm versions with
npm list - Monitor for additional vulnerabilities — The follow-up CVEs show security research continues
- Implement defense in depth — WAF rules, dependency audits, security advisories
The React team responded quickly and transparently, working with hosting providers to deploy mitigations and publishing detailed guidance. This is how responsible disclosure should work.
If you haven't patched yet, do it now.
Resources
- React Official Advisory
- Next.js Security Update
- CVE-2025-55182 Record
- Trend Micro Analysis
- Wiz Security Analysis
This article is for informational purposes. Always consult official security advisories from React and your framework maintainers for the most up-to-date guidance.
Top comments (0)