React2Shell: A Critical RCE Vulnerability in React and Next.js

🚨 React2Shell: A Critical RCE Vulnerability in React and Next.js

The security world is currently in an uproar: React2Shell is the name given to a highly critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182 and CVE-2025-66478) disclosed within React Server Components (RSC). This flaw poses a severe risk to a vast number of modern web applications, particularly those built on Next.js using the App Router. This vulnerability has been assigned the highest severity rating of CVSS 10.0 and requires immediate action.

What is React2Shell?

React2Shell is the popular name for two closely related vulnerabilities (CVE-2025-55182 in React and CVE-2025-66478 in Next.js) that impact the deserialization of data within the React Server Components (RSC) “Flight” protocol.

The Core Problem:
The vulnerability stems from insecure deserialization within the RSC implementation. React Server Components allow logic to be executed on the server, with the resulting, serialized data being sent to the client. Attackers can inject a specially crafted HTTP payload that manipulates the metadata for server functions. During the deserialization of this data on the server, React attempts to access component metadata in an unsafe manner, which enables a Prototype Pollution attack.

• Remote Code Execution (RCE): A successful attack allows an attacker to execute arbitrary code on the vulnerable server.
• No Authentication Required: Exploitation of the vulnerability requires no user credentials or an active session. A simple, manipulated HTTP request is sufficient.
• High Criticality: The combination of RCE, lack of required authentication, and the widespread adoption of RSC-enabled frameworks (like the Next.js App Router) makes this a high-priority issue.

💣 Affected Systems and the Next.js App Router

The vulnerability affects the core implementation of React Server Components and its associated packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack).

Affected Versions:

• React: Versions 19.x (including 19.0.0, 19.1.0, 19.1.1, 19.2.0 as well as many Canary, RC, and experimental builds).
• Next.js: Versions 15.x and 16.x, when the App Router is in use.

Important Note:
Even applications that do not implement explicit server function endpoints can be vulnerable, as long as they fundamentally support React Server Components. The vulnerability lies in how the serialization and deserialization of RSC data are handled by default.

🚨 Active Exploitation and Urgency

The urgency surrounding this vulnerability is extremely high. Within hours of public disclosure, active exploitation attempts were observed, particularly from China-aligned cyber threat groups such as Earth Lamia and Jackpot Panda.

• Rapid Operationalization: Threat actors are aggressively scanning the internet for unpatched systems.
• Attack Indicators: Network indicators include HTTP POST requests to App Router endpoints with headers like next-action or rsc-action-id, and request bodies containing patterns like $@ or "status":"resolved_model".
• Severe Damage: A successful exploit can lead to the complete compromise of the server, including the execution of commands like whoami or the reading of sensitive files such as /etc/passwd.

✅ Immediate Action and Patches

Administrators and developers using affected versions of React or Next.js must take immediate action. This requires an urgent deviation from normal patching cycles.

Fixing Versions:

1. React: Upgrade to React 19.0.1, 19.1.2, or 19.2.1 (or the corresponding patched Canary and RC versions).
2. Next.js: The necessary patches have been released in the latest versions of the 15.x and 16.x series. Ensure you update to the latest available version within your respective major version.

Additional Mitigation Steps:

• Web Application Firewalls (WAF): Deploy a WAF to block requests with suspicious patterns (e.g., the next-action header or suspicious payloads).
• Monitoring: Implement enhanced host-based monitoring to detect unexpected command executions or file writes (e.g., in the /tmp/ directory) originating from the Node.js/React process.
• Segmentation: Isolate servers running RSC as much as possible from critical internal resources.

React Server Components are an exciting and powerful technology for modern web development. However, React2Shell serves as a potent reminder that new architectures can also introduce new, high-risk attack surfaces. Patch now!

Would you like me to search for the official security advisories or patch notes for the specific CVEs (CVE-2025-55182 and CVE-2025-66478)?