
React2Shell (CVE-2025-55182): The Critical RCE That's Turning React and Next.js Into a Hacker's Playground
React2Shell is a CVSS 10.0 pre-auth RCE in React Server Components and Next.js. Learn what it is, who's affected, and how to patch before attackers own...
✨TL;DR / Executive Summary
React2Shell is a CVSS 10.0 pre-auth RCE in React Server Components and Next.js. Learn what it is, who's affected, and how to patch before attackers own...
💡 TL;DR (Executive Summary)
React2Shell (CVE-2025-55182) is a CVSS 10.0 pre-authentication RCE in React Server Components and Next.js. A single HTTP request can give attackers full server access. Default configs are vulnerable. Exploits are in the wild. If you run RSC or Next.js, drop everything and patch now. This is not a drill.
1. The Hook: Why This Matters Right Now
Over the last 24 hours, security and infra channels from San Francisco to Bangalore have lit up with a single topic:
React2Shell (CVE-2025-55182) — a pre-authentication remote code execution (RCE) vulnerability that exposes tens of thousands of production apps to full server takeover with a single HTTP request.
This isn't just another scary CVE ID for your backlog. This is the kind of bug that hits every nerve ending at once:
- Default configs are affected.
- Popular frameworks (Next.js, RSC-enabled stacks) are impacted.
- Exploits are reliable and already circulating in the wild.
- Cloud telemetry shows hundreds of thousands of exposed instances worldwide.
Wiz reports vulnerable React/Next.js across ~39% of cloud environments, and Unit 42 has visibility into ~968k React/Next.js instances on the public internet.
For anyone who lived through Log4Shell, this feels uncomfortably familiar. But this time, it's not about a logging library quietly buried in Java microservices. It's about the front-end stack that powers a huge fraction of the modern web.
2. What React2Shell Actually Is (In Plain English)
React2Shell targets the React Server Components "Flight" protocol—the binary protocol React uses to communicate between client and server for RSC. In affected versions:
- The server trusts and deserializes attacker-controlled RSC payloads unsafely.
- A single crafted HTTP request can trigger arbitrary code execution on the server.
- No authentication is required.
- The attack is near-100% reliable in testing according to Wiz.
Because Next.js implements RSC and the Flight protocol, it inherits the same bug. A standard Next.js app created with create-next-app and deployed with default settings can be exploitable with no custom code changes if it's using affected versions.
React's own advisory confirms the CVSS 10.0 rating.
Key CVE Details
| CVE ID | Description | Status |
|---|---|---|
| CVE-2025-55182 | Core React RSC / Flight protocol RCE | Primary |
| CVE-2025-66478 | Initially assigned for Next.js, later merged as duplicate | Merged |
The popular name "React2Shell" comes from researchers who immediately recognized the Log4Shell-level severity.
3. Why This Exploded in 24 Hours
The technical advisory landed days ago, but three converging factors pushed React2Shell into "front-page in every tech Slack" territory:
3.1. Public PoCs and Active Exploitation
Early write-ups were cautious about details, but Wiz, Invicti and Unit 42 now confirm:
- Fully working RCE exploits exist
- Public proof-of-concept code is circulating
- Opportunistic scanning and exploitation are in full swing
3.2. Massive Exposed Surface Area
- React is everywhere; Next.js is the de facto React meta-framework.
- RSC is enabled by default in modern Next.js app router setups.
- You can be vulnerable even if you never consciously opted into fancy RSC features.
3.3. Cloud-Scale Telemetry Looked… Bad
- Wiz data: vulnerable React/Next.js stacks in nearly 4 out of 10 cloud environments, with a big chunk internet-facing.
- Unit 42 sees nearly one million React/Next.js instances exposed on the public internet.
Security teams saw the combination of popular + default-on + pre-auth RCE + PoC + exploitation and immediately went into "all hands" mode.
4. How the Exploit Works (Technical Deep Dive)
At a conceptual level, React2Shell is a textbook case of insecure deserialization in a custom protocol:
4.1. The Flight Protocol
RSC uses the Flight protocol to serialize component trees and server actions across the wire. It's a binary/text hybrid format that:
- Encodes React component references
- Serializes props and state
- Handles server action invocations
4.2. The Attack Vector
4.3. Why It's So Dangerous
- Pre-Auth: No login required. Public endpoints are exploitable.
- Protocol-Level: The bug lives below your app logic. The attacker doesn't care what your business code does.
- Reliable: Near-100% success rate means automated exploitation is trivial.
- Widespread: Default Next.js setups with
app/router are in scope.
Invicti's analysis describes it as a "one-request RCE": pre-auth, no user interaction, no misconfiguration required beyond running vulnerable versions.
5. Who Is Affected: The Full Blast Radius
From the official React advisory and vendor write-ups, the vulnerable components are:
5.1. Vulnerable React Packages
The following packages in the 19.x RSC / Flight line are affected:
| Package | Vulnerable Versions | Patched Versions |
|---|---|---|
react-server-dom-webpack | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ |
react-server-dom-parcel | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ |
react-server-dom-turbopack | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1+ |
Source: React advisory
5.2. Vulnerable Frameworks and Tooling
Any framework or bundler that embeds or depends on affected RSC packages is in scope:
- Next.js (App Router) — Specific 15.x / 16.x ranges and certain canary builds
- React Router RSC preview
- Redwood SDK
- Waku
- Vite RSC plugin (
@vitejs/plugin-rsc) - Parcel RSC plugin (
@parcel/rsc)
Microsoft and Unit 42 both provide explicit affected version ranges and mitigation guidance.
5.3. Who's NOT Affected
If you're on pure client-side React (SPA with no react-server-dom-* anywhere), you're not impacted by this specific bug. But many orgs use frameworks that pull these server packages indirectly, which is why SBOM and dependency visibility tools suddenly matter a lot.
6. What Attackers Are Actually Doing With React2Shell
The scary part is not just that this exploit exists; it's that multiple threat intel teams are already watching it being used at scale.
6.1. Wiz Observations
Wiz reports:
- Near-100% reliability in their RCE testing
- Observed campaigns harvesting cloud credentials
- Dropped cryptominers (e.g., XMRig)
- Shells used to explore compromised boxes
6.2. Microsoft Telemetry
Microsoft sees:
- Hundreds of compromised devices in real orgs
- Post-exploitation payloads including reverse shells, RATs, and credential-stealing scripts
- Targeting of cloud metadata endpoints (AWS, Azure, GCP, Tencent) for token theft
6.3. Unit 42 Intelligence
Unit 42 has seen:
- Cobalt Strike-like activity
- Custom Linux backdoors (e.g., KSwapDoor)
- Cryptomining campaigns
- IAB-style (initial access broker) operations
- A mix of opportunistic exploitation and more targeted campaigns
This isn't a theoretical "could be bad if someone figures it out" bug. At this point, the offensive ecosystem has React2Shell fully onboarded.
7. What You Should Do Right Now
In DevRel-speak, here's the TL;DR: Treat React2Shell as an active incident until you've proven you're clean and patched.
7.1. Identify If You're Impacted
You need real inventory, not vibes.
Search dependencies:
# Check for vulnerable packages
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
# Check Next.js version
npm ls next
# For monorepos, scan all packages
npx lerna ls --all --long 2>/dev/null || npm ls --all | grep -E "react-server-dom|next@"Match versions against the official ranges from:
If you have internet-facing Next.js apps running vulnerable versions, assume they are high-risk targets immediately.
7.2. Patch. Don't Wait for "The Next Sprint."
# Update React RSC packages
npm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack
# Update Next.js
npm update next
# Verify versions
npm ls react-server-dom-webpack nextExact version numbers may evolve, but as of the advisories:
- Upgrade RSC packages to patched 19.x versions (
19.0.1,19.1.2,19.2.1or later) - Upgrade Next.js to patched versions in your major line
Then:
- Rebuild your app images/artifacts
- Redeploy all affected environments (staging, prod, long-lived "temporary" environments)
Cloud WAF protections from providers (Cloudflare, etc.) help but are not enough. Every serious write-up explicitly calls patching the only reliable fix.
7.3. Hunt for Signs of Compromise
Because exploitation is already happening, your job isn't just "patch and pray." It's also incident response:
Review logs for:
- Suspicious POSTs to RSC/server action endpoints
- Odd shell-like commands coming from
nodeornext-serverprocesses
Look for:
- Unexpected processes spawned by
node/next - Outbound connections to known C2 ranges
- Cryptominers, tools like
TruffleHog,Gitleaks - Scripts enumerating environment variables and metadata endpoints
Indicators of Compromise (IOCs):
# Check for suspicious processes
ps aux | grep -E "(xmrig|miner|nc |/bin/sh|/bin/bash.*-i)"
# Check for unusual network connections
netstat -an | grep ESTABLISHED | grep -v "127.0.0.1\|::1"
# Check Node.js process for suspicious child processes
pstree -p $(pgrep -f "next-server")If you see anything suspicious:
- Treat that node/container as compromised
- Rotate secrets and tokens immediately
- Follow your full IR playbook
7.4. Use WAF / Network Controls as a Temporary Shield
While you're patching:
- Enable any vendor-provided React2Shell / RSC-specific WAF rules
- Add temporary rate limits and anomaly detection on critical endpoints
- Monitor for spikes in 4xx/5xx responses on RSC routes
Mental model: WAF == seatbelt, patch == brake pedal. You still need brakes.
8. The Bigger Picture: Front-End Is Now Back-End
The loudest message out of React2Shell isn't "React is insecure." It's that modern front-end frameworks are now back-end frameworks, and we're still adapting our mental models.
The Old World
- React was "just front-end"
- Security meant XSS, CSRF, CSP, etc.
- Server bugs lived in Java, Python, Go
The New World
- React Server Components + meta-frameworks blur the line between client and server
- The "front-end" stack now includes server runtimes, custom protocols (like Flight), and distributed rendering pipelines
- A bug in a UI framework can behave like a bug in a core server framework, with full RCE blast radius
React2Shell is a textbook example: a protocol-level flaw in how server components deserialize data leads to direct shell access on servers.
The Lesson for Engineering Leaders
If your front-end stack is powering server logic, your AppSec model has to treat it as critical infrastructure—because attackers already do.
This means:
- SBOM and dependency visibility are now P0 requirements
- Front-end teams need security training beyond XSS
- Incident response playbooks must cover Node.js/Next.js servers
- WAF rules need to understand RSC traffic patterns
9. Resources and Further Reading
Official Advisories
Quick Reference
| Item | Value |
|---|---|
| CVE | CVE-2025-55182 |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network (Remote) |
| Auth Required | None |
| User Interaction | None |
| Impact | Full Server Takeover |
10. Conclusion: Act Now, Ask Questions Later
React2Shell is the kind of vulnerability that separates security-mature organizations from the rest. The facts are clear:
- CVSS 10.0: Maximum severity
- Pre-auth RCE: No login required
- Default configs affected: Most Next.js apps using RSC
- Active exploitation: Happening right now
- High reliability: Near-100% success rate
Your action items:
- ✅ Audit your dependencies — Check for vulnerable packages
- ✅ Patch immediately — Don't wait for the next sprint
- ✅ Hunt for compromise — Review logs and processes
- ✅ Update your mental model — Front-end is now attack surface
The security community has done its job by disclosing and documenting this vulnerability. Now it's on engineering teams to respond with urgency.
"In the old world, front-end was an afterthought in security audits. React2Shell is the wake-up call that changes everything."
— The gsstk Security Team
Stay safe. Ship patches. Rotate secrets.
Published: January 27, 2026