React2Shell – Critical Bug Exposes React Server Components to Unauthenticated Remote Code Execution

A critical, maximum-severity vulnerability has been disclosed in React Server Components (RSC) that enables unauthenticated remote code execution (RCE) on exposed servers. Tracked as CVE-2025-55182 and nicknamed React2Shell, the bug carries a CVSS score of 10.0, reflecting its ease of exploitation and widespread impact across modern JavaScript frameworks.

According to the React Team, the flaw originates from how React decodes payloads sent to React Server Function endpoints, allowing arbitrary JavaScript to execute on the backend. Crucially, applications may be vulnerable even if they do not explicitly use Server Function endpoints — simply enabling React Server Components is enough to be exposed.

Root Cause: Unsafe Deserialization in React Flight Protocol

Cloud security firm Wiz attributes the issue to logical deserialization weaknesses in the React Flight protocol, which processes RSC payloads. Attackers can send malicious payloads that React wrongly interprets as trusted structures, triggering direct execution of attacker-supplied code.

Aikido Security further described it as a case where “malformed or adversarial payloads can influence server-side execution in unintended ways,” prompting the React team to harden deserialization and add strict payload validation in patched versions.

Affected Packages and Versions

The flaw affects React RSC implementations in the following npm packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Vulnerable Versions

• 19.0
• 19.1.0
• 19.1.1
• 19.2.0

Patched Versions

• 19.0.1
• 19.1.2
• 19.2.1

The vulnerability was discovered by security researcher Lachlan Davidson and responsibly reported to Meta on November 29, 2025.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Next.js Also Impacted (CVE-2025-66478 — CVSS 10.0)

Next.js, which widely incorporates React Server Components through its App Router, is affected under a separate identifier:

Impacted Next.js Versions

• >=14.3.0-canary.77
• >=15
• >=16

Patched Versions

• 16.0.7
• 15.5.7
• 15.4.8
• 15.3.6
• 15.2.6
• 15.1.9
• 15.0.5

Security firms warn that any library bundling React Server Components is likely vulnerable, including:

• Vite RSC plugin
• Parcel RSC plugin
• React Router RSC preview
• RedwoodJS
• Waku

Exploitation: No Login, No Special Conditions, HTTP is Enough

Endor Labs, VulnCheck, and Miggo Security emphasized:

• No authentication is required
• Any exposed Server Function endpoint is a viable target
• The attack works over plain HTTP
• Default framework configurations are exploitable immediately

Attackers only need basic network access to trigger RCE with a crafted request.

Wiz reported that 39% of cloud environments they analyzed contain vulnerable React or Next.js installations — a staggering potential blast radius.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Sources: thehackernews.com, blog.cloudflare.com, wiz.io/blog, react.dev/blog, aikido.dev/blog

Source Link