CVE-2025-55182, dubbed React2Shell, is a critical unauthenticated remote code execution vulnerability affecting React Server Components. With a maximum CVSS score of 10.0, it represents one of the most severe vulnerabilities to hit the JavaScript ecosystem. This article provides a technical breakdown of the vulnerability, explains how exploitation works, and delivers actionable guidance for detection and remediation.
Why This Vulnerability Matters
React powers approximately 82% of JavaScript applications according to the 2024 State of JavaScript survey. Next.js, the leading React framework for server-side rendering, is used by 18-20% of developers. When Wiz analyzed cloud environments, they found 39% contained vulnerable versions of React or Next.js. The Shadowserver Foundation detected nearly 78,000 vulnerable IP addresses within 48 hours of disclosure.
The vulnerability went from public disclosure to active exploitation by nation-state actors in under 24 hours. CISA added it to the Known Exploited Vulnerabilities catalog on December 5, 2025, mandating federal agencies patch by December 26, 2025. Google, Amazon, Microsoft, Palo Alto Networks, and Datadog have all published threat intelligence confirming widespread exploitation across multiple sectors.
Technical Background: React Server Components and the Flight Protocol
React Server Components (RSC) allow developers to render components on the server rather than the client browser. This improves performance by reducing JavaScript bundle sizes and moving computation to the server.
RSC uses a protocol called Flight to serialize and transport component data between server and client. The protocol handles two primary flows:
Server-to-Client: The server serializes RSC data into packets and streams them to the client for rendering.
Client-to-Server (Reply Flow): When a user triggers a Server Action (clicking a button, submitting a form), the client serializes data back to the server. The server deserializes this data to process the request.
The vulnerability exists in the Client-to-Server flow. When the server receives a Flight payload via HTTP POST, it deserializes the raw text back into JavaScript objects to serve as function arguments. The server then maps client-side references to server-side code using a string-based identifier format and executes the corresponding function.
The Vulnerability: Unsafe Deserialization
CVE-2025-55182 is a logic flaw in how React's Flight protocol decoder processes incoming payloads. The decoder expands object properties without validating their structure, enabling prototype pollution during the parsing stage.
React's server-side components use internal objects called Chunks to represent pieces of data within the Flight protocol. During normal operation, React resolves these Chunks as Promises inside its request parsing logic. The vulnerable code trusts incoming data implicitly, assuming clients will never send malicious payloads.
The attack exploits this trust through the following chain:
- The attacker crafts a fake Chunk object and submits it in an HTTP POST request body.
- Since React does not validate the payload structure, it treats the fake object as genuine.
- The fake Chunk defines a custom
thenmethod (exploiting JavaScript's Promise resolution behavior). - When React attempts to resolve the Chunk as a Promise, it calls the attacker-controlled
thenmethod. - This gives the attacker control over internal parsing state, including the
_responseobject. - The attacker modifies this state to cause React to invoke arbitrary server-side functions.
- Those functions become the path to remote code execution.
The vulnerability resides specifically in the requireModule function within react-server-dom-webpack and related packages. The flaw allows attackers to insert malicious keys like __proto__ or constructor that alter the fundamental behavior of JavaScript objects on the server.
Why This Exploit Is Especially Dangerous
Several factors make React2Shell exceptionally severe:
Unauthenticated: No login, API key, session token, or CSRF token is required. Anyone on the internet can send a malicious request.
Default Configurations Vulnerable: A standard Next.js application created with create-next-app and built for production is exploitable without any code changes by the developer.
Single Request Exploitation: The entire attack chain executes in one HTTP POST request.
Near-100% Reliability: Unlike memory corruption bugs that may fail unpredictably, this is a deterministic logic flaw. Security researchers report exploitation success rates approaching 100%.
Passive Vulnerability: Applications are vulnerable even if they don't explicitly define Server Function endpoints, as long as they support React Server Components. The mere presence of vulnerable packages is often sufficient.
Detection Difficulty: Attackers can vary the structure and encoding of the exploit in many ways. There is no single reliable signature, and some variants leave no files or obvious traces.
Affected Versions
React Packages (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0):
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Frameworks and Bundlers:
- Next.js 15.x and 16.x (App Router)
- React Router
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk
Not Affected:
- Next.js 13.x and 14.x stable releases
- Next.js Pages Router applications
- Next.js Edge Runtime
- Applications that do not use frameworks or bundlers supporting RSC
- Client-only React applications
Observed Exploitation Patterns
Multiple threat intelligence teams have documented post-exploitation behavior following successful React2Shell attacks.
Initial Reconnaissance: Attackers execute commands like whoami, hostname, environment variable dumps, and browse /etc/passwd to profile the host and execution context.
Credential Harvesting: Systematic attempts to access environment variables (.env files), SSH keys, AWS credentials, Kubernetes configurations, Docker configs, and cloud provider credentials.
Persistence Establishment: Installation of systemd services, cron jobs, or other scheduled tasks. Attackers have been observed deploying the SNOWLIGHT downloader, VShell backdoor, HISONIC backdoor, COMPOOD backdoor, and various cryptocurrency miners.
Lateral Movement: Pivoting from web application context to internal systems. Attackers scan for additional vulnerable services and attempt to escalate privileges.
Payload Delivery: Drive-by downloads using curl or wget to fetch and execute scripts from attacker-controlled infrastructure. Common payloads include XMRig cryptocurrency miners, Mirai loaders, and Cobalt Strike beacons.
Threat actors observed exploiting this vulnerability include China-nexus groups Earth Lamia, Jackpot Panda, and UNC5174 (CL-STA-1015), as well as Iranian threat actors and financially motivated cybercriminals.
Detection Methods
Vulnerability Scanning: Use tools like Assetnote's scanner, which differentiates vulnerable from patched hosts by sending specific payloads and analyzing server responses. Vulnerable servers return HTTP 500 with specific error patterns when sent malformed Flight data.
Runtime Detection: Monitor for unexpected shell commands or process spawning from web server processes. Sysdig's Falco rule "Suspicious Command Executed by Web Server" catches arbitrary commands spawned by web applications.
Network Monitoring: Watch for POST requests to RSC endpoints containing unusual serialized data structures. Monitor for outbound connections to unknown IP addresses from web application processes.
Log Analysis: Look for TypeErrors related to multipart data parsing, attempts to read environment files, and command execution errors in application logs.
SBOM Analysis: Audit your software bill of materials for vulnerable React and Next.js package versions, including transitive dependencies.
Remediation Steps
1. Upgrade Immediately
Update to patched versions:
React packages: 19.0.1, 19.1.2, or 19.2.1
Next.js: Version-specific patches are available:
- Next.js 15.x: Upgrade to 15.0.5 or later
- Next.js 16.x: Upgrade to the latest patched 16.x release
- Next.js 14.x canary (14.3.0-canary.77+): Downgrade to stable 14.x or upgrade to 15.0.5+
For Next.js applications, the automated tool npx fix-react2shell-next can streamline the upgrade process.
2. Audit Dependencies
Check your entire dependency tree. Vulnerable packages may be present as transitive dependencies even if you did not install them directly:
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
3. Deploy WAF Rules
Major providers have released protective rules:
- AWS WAF: AWSManagedRulesKnownBadInputsRuleSet (version 1.24+)
- Cloudflare: Rules detecting unsafe deserialization in POST requests
- Google Cloud Armor: cve-canary rule
- Akamai: Adaptive Security Engine Rapid Rules
Note that WAF rules provide defense-in-depth but cannot guarantee protection against all exploit variants. Patching remains the only complete fix.
4. Implement Network Segmentation
Isolate frontend services from backend systems and databases. Ensure hosts running public-facing applications maintain separate credentials from internal services. This limits blast radius if exploitation occurs.
5. Monitor for Compromise
CISA recommends checking for signs of potential compromise on all internet-accessible React instances after applying mitigations. Look for:
- Unexpected user accounts or SSH keys
- New scheduled tasks or services
- Unusual outbound network connections
- Modified environment variables or configuration files
- Evidence of cryptocurrency mining activity
6. Review Application Architecture
If your application does not require Server Components, consider whether you can disable RSC functionality entirely. Evaluate whether Server Functions can be protected behind authentication layers even if React does not require it.
Long-Term Architectural Lessons
React2Shell highlights a fundamental tension in modern web architecture. Server Components optimize performance by moving logic closer to the data source, but they simultaneously move the attack surface closer to sensitive systems.
The Flight protocol was designed with the assumption that clients would never send malicious data. This assumption proved catastrophic. Any protocol that deserializes untrusted input must validate payload structure rigorously before processing.
Organizations should treat this incident as a prompt to review their overall security posture:
Defense in Depth: No single control will stop every attack. Layer network segmentation, host-based firewalls, credential isolation, and continuous monitoring to create overlapping defenses.
Dependency Management: Modern applications depend on hundreds of open-source packages. A single flawed update can expose an entire production environment. Implement automated vulnerability scanning in CI/CD pipelines and maintain current SBOMs.
Incident Response Preparation: The window between disclosure and exploitation is shrinking. Attackers weaponized React2Shell within hours of public disclosure. Organizations need processes to deploy emergency patches rapidly.
CVE-2025-55182 is a critical threat to any organization running React Server Components. The combination of unauthenticated access, single-request exploitation, and React's massive install base creates extreme risk. With active exploitation confirmed across nation-state and criminal threat actors, immediate patching is essential.
Review your dependencies, apply updates, verify your network architecture limits lateral movement, and monitor for signs of compromise. The security community has provided the tools and intelligence needed to defend against this threat.
