Back to all articles
React2Shell (CVE-2025-55182): The Critical RCE That's Turning React and Next.js Into a Hacker's Playground

React2Shell (CVE-2025-55182): The Critical RCE That's Turning React and Next.js Into a Hacker's Playground

React2Shell is a CVSS 10.0 pre-auth RCE in React Server Components and Next.js. Learn what it is, who's affected, and how to patch before attackers own...

Human-architected research synthesized with the assistance of AI personas.
11 min read

TL;DR / Executive Summary

React2Shell is a CVSS 10.0 pre-auth RCE in React Server Components and Next.js. Learn what it is, who's affected, and how to patch before attackers own...

💡 TL;DR (Executive Summary)

React2Shell (CVE-2025-55182) is a CVSS 10.0 pre-authentication RCE in React Server Components and Next.js. A single HTTP request can give attackers full server access. Default configs are vulnerable. Exploits are in the wild. If you run RSC or Next.js, drop everything and patch now. This is not a drill.


1. The Hook: Why This Matters Right Now

Over the last 24 hours, security and infra channels from San Francisco to Bangalore have lit up with a single topic:

React2Shell (CVE-2025-55182) — a pre-authentication remote code execution (RCE) vulnerability that exposes tens of thousands of production apps to full server takeover with a single HTTP request.

This isn't just another scary CVE ID for your backlog. This is the kind of bug that hits every nerve ending at once:

  • Default configs are affected.
  • Popular frameworks (Next.js, RSC-enabled stacks) are impacted.
  • Exploits are reliable and already circulating in the wild.
  • Cloud telemetry shows hundreds of thousands of exposed instances worldwide.

Wiz reports vulnerable React/Next.js across ~39% of cloud environments, and Unit 42 has visibility into ~968k React/Next.js instances on the public internet.

For anyone who lived through Log4Shell, this feels uncomfortably familiar. But this time, it's not about a logging library quietly buried in Java microservices. It's about the front-end stack that powers a huge fraction of the modern web.


2. What React2Shell Actually Is (In Plain English)

React2Shell targets the React Server Components "Flight" protocol—the binary protocol React uses to communicate between client and server for RSC. In affected versions:

  • The server trusts and deserializes attacker-controlled RSC payloads unsafely.
  • A single crafted HTTP request can trigger arbitrary code execution on the server.
  • No authentication is required.
  • The attack is near-100% reliable in testing according to Wiz.

Because Next.js implements RSC and the Flight protocol, it inherits the same bug. A standard Next.js app created with create-next-app and deployed with default settings can be exploitable with no custom code changes if it's using affected versions.

React's own advisory confirms the CVSS 10.0 rating.

Key CVE Details

CVE IDDescriptionStatus
CVE-2025-55182Core React RSC / Flight protocol RCEPrimary
CVE-2025-66478Initially assigned for Next.js, later merged as duplicateMerged

The popular name "React2Shell" comes from researchers who immediately recognized the Log4Shell-level severity.


3. Why This Exploded in 24 Hours

The technical advisory landed days ago, but three converging factors pushed React2Shell into "front-page in every tech Slack" territory:

3.1. Public PoCs and Active Exploitation

Early write-ups were cautious about details, but Wiz, Invicti and Unit 42 now confirm:

  • Fully working RCE exploits exist
  • Public proof-of-concept code is circulating
  • Opportunistic scanning and exploitation are in full swing

3.2. Massive Exposed Surface Area

  • React is everywhere; Next.js is the de facto React meta-framework.
  • RSC is enabled by default in modern Next.js app router setups.
  • You can be vulnerable even if you never consciously opted into fancy RSC features.

3.3. Cloud-Scale Telemetry Looked… Bad

  • Wiz data: vulnerable React/Next.js stacks in nearly 4 out of 10 cloud environments, with a big chunk internet-facing.
  • Unit 42 sees nearly one million React/Next.js instances exposed on the public internet.

Security teams saw the combination of popular + default-on + pre-auth RCE + PoC + exploitation and immediately went into "all hands" mode.


4. How the Exploit Works (Technical Deep Dive)

At a conceptual level, React2Shell is a textbook case of insecure deserialization in a custom protocol:

4.1. The Flight Protocol

RSC uses the Flight protocol to serialize component trees and server actions across the wire. It's a binary/text hybrid format that:

  1. Encodes React component references
  2. Serializes props and state
  3. Handles server action invocations

4.2. The Attack Vector

4.3. Why It's So Dangerous

  1. Pre-Auth: No login required. Public endpoints are exploitable.
  2. Protocol-Level: The bug lives below your app logic. The attacker doesn't care what your business code does.
  3. Reliable: Near-100% success rate means automated exploitation is trivial.
  4. Widespread: Default Next.js setups with app/ router are in scope.

Invicti's analysis describes it as a "one-request RCE": pre-auth, no user interaction, no misconfiguration required beyond running vulnerable versions.


5. Who Is Affected: The Full Blast Radius

From the official React advisory and vendor write-ups, the vulnerable components are:

5.1. Vulnerable React Packages

The following packages in the 19.x RSC / Flight line are affected:

PackageVulnerable VersionsPatched Versions
react-server-dom-webpack19.0, 19.1.0, 19.1.1, 19.2.019.0.1, 19.1.2, 19.2.1+
react-server-dom-parcel19.0, 19.1.0, 19.1.1, 19.2.019.0.1, 19.1.2, 19.2.1+
react-server-dom-turbopack19.0, 19.1.0, 19.1.1, 19.2.019.0.1, 19.1.2, 19.2.1+

Source: React advisory

5.2. Vulnerable Frameworks and Tooling

Any framework or bundler that embeds or depends on affected RSC packages is in scope:

  • Next.js (App Router) — Specific 15.x / 16.x ranges and certain canary builds
  • React Router RSC preview
  • Redwood SDK
  • Waku
  • Vite RSC plugin (@vitejs/plugin-rsc)
  • Parcel RSC plugin (@parcel/rsc)

Microsoft and Unit 42 both provide explicit affected version ranges and mitigation guidance.

5.3. Who's NOT Affected

If you're on pure client-side React (SPA with no react-server-dom-* anywhere), you're not impacted by this specific bug. But many orgs use frameworks that pull these server packages indirectly, which is why SBOM and dependency visibility tools suddenly matter a lot.


6. What Attackers Are Actually Doing With React2Shell

The scary part is not just that this exploit exists; it's that multiple threat intel teams are already watching it being used at scale.

6.1. Wiz Observations

Wiz reports:

  • Near-100% reliability in their RCE testing
  • Observed campaigns harvesting cloud credentials
  • Dropped cryptominers (e.g., XMRig)
  • Shells used to explore compromised boxes

6.2. Microsoft Telemetry

Microsoft sees:

  • Hundreds of compromised devices in real orgs
  • Post-exploitation payloads including reverse shells, RATs, and credential-stealing scripts
  • Targeting of cloud metadata endpoints (AWS, Azure, GCP, Tencent) for token theft

6.3. Unit 42 Intelligence

Unit 42 has seen:

  • Cobalt Strike-like activity
  • Custom Linux backdoors (e.g., KSwapDoor)
  • Cryptomining campaigns
  • IAB-style (initial access broker) operations
  • A mix of opportunistic exploitation and more targeted campaigns

This isn't a theoretical "could be bad if someone figures it out" bug. At this point, the offensive ecosystem has React2Shell fully onboarded.


7. What You Should Do Right Now

In DevRel-speak, here's the TL;DR: Treat React2Shell as an active incident until you've proven you're clean and patched.

7.1. Identify If You're Impacted

You need real inventory, not vibes.

Search dependencies:

bash
# Check for vulnerable packages npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack # Check Next.js version npm ls next # For monorepos, scan all packages npx lerna ls --all --long 2>/dev/null || npm ls --all | grep -E "react-server-dom|next@"

Match versions against the official ranges from:

If you have internet-facing Next.js apps running vulnerable versions, assume they are high-risk targets immediately.

7.2. Patch. Don't Wait for "The Next Sprint."

bash
# Update React RSC packages npm update react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack # Update Next.js npm update next # Verify versions npm ls react-server-dom-webpack next

Exact version numbers may evolve, but as of the advisories:

  • Upgrade RSC packages to patched 19.x versions (19.0.1, 19.1.2, 19.2.1 or later)
  • Upgrade Next.js to patched versions in your major line

Then:

  1. Rebuild your app images/artifacts
  2. Redeploy all affected environments (staging, prod, long-lived "temporary" environments)

Cloud WAF protections from providers (Cloudflare, etc.) help but are not enough. Every serious write-up explicitly calls patching the only reliable fix.

7.3. Hunt for Signs of Compromise

Because exploitation is already happening, your job isn't just "patch and pray." It's also incident response:

Review logs for:

  • Suspicious POSTs to RSC/server action endpoints
  • Odd shell-like commands coming from node or next-server processes

Look for:

  • Unexpected processes spawned by node / next
  • Outbound connections to known C2 ranges
  • Cryptominers, tools like TruffleHog, Gitleaks
  • Scripts enumerating environment variables and metadata endpoints

Indicators of Compromise (IOCs):

bash
# Check for suspicious processes ps aux | grep -E "(xmrig|miner|nc |/bin/sh|/bin/bash.*-i)" # Check for unusual network connections netstat -an | grep ESTABLISHED | grep -v "127.0.0.1\|::1" # Check Node.js process for suspicious child processes pstree -p $(pgrep -f "next-server")

If you see anything suspicious:

  • Treat that node/container as compromised
  • Rotate secrets and tokens immediately
  • Follow your full IR playbook

7.4. Use WAF / Network Controls as a Temporary Shield

While you're patching:

  • Enable any vendor-provided React2Shell / RSC-specific WAF rules
  • Add temporary rate limits and anomaly detection on critical endpoints
  • Monitor for spikes in 4xx/5xx responses on RSC routes

Mental model: WAF == seatbelt, patch == brake pedal. You still need brakes.


8. The Bigger Picture: Front-End Is Now Back-End

The loudest message out of React2Shell isn't "React is insecure." It's that modern front-end frameworks are now back-end frameworks, and we're still adapting our mental models.

The Old World

  • React was "just front-end"
  • Security meant XSS, CSRF, CSP, etc.
  • Server bugs lived in Java, Python, Go

The New World

  • React Server Components + meta-frameworks blur the line between client and server
  • The "front-end" stack now includes server runtimes, custom protocols (like Flight), and distributed rendering pipelines
  • A bug in a UI framework can behave like a bug in a core server framework, with full RCE blast radius

React2Shell is a textbook example: a protocol-level flaw in how server components deserialize data leads to direct shell access on servers.

The Lesson for Engineering Leaders

If your front-end stack is powering server logic, your AppSec model has to treat it as critical infrastructure—because attackers already do.

This means:

  1. SBOM and dependency visibility are now P0 requirements
  2. Front-end teams need security training beyond XSS
  3. Incident response playbooks must cover Node.js/Next.js servers
  4. WAF rules need to understand RSC traffic patterns

9. Resources and Further Reading

Official Advisories

Quick Reference

ItemValue
CVECVE-2025-55182
CVSS Score10.0 (Critical)
Attack VectorNetwork (Remote)
Auth RequiredNone
User InteractionNone
ImpactFull Server Takeover

10. Conclusion: Act Now, Ask Questions Later

React2Shell is the kind of vulnerability that separates security-mature organizations from the rest. The facts are clear:

  • CVSS 10.0: Maximum severity
  • Pre-auth RCE: No login required
  • Default configs affected: Most Next.js apps using RSC
  • Active exploitation: Happening right now
  • High reliability: Near-100% success rate

Your action items:

  1. Audit your dependencies — Check for vulnerable packages
  2. Patch immediately — Don't wait for the next sprint
  3. Hunt for compromise — Review logs and processes
  4. Update your mental model — Front-end is now attack surface

The security community has done its job by disclosing and documenting this vulnerability. Now it's on engineering teams to respond with urgency.


"In the old world, front-end was an afterthought in security audits. React2Shell is the wake-up call that changes everything."

The gsstk Security Team


Stay safe. Ship patches. Rotate secrets.

Published: January 27, 2026

Receive new articles

Subscribe to receive notifications about new articles directly to your email

We won't send spam. You can unsubscribe at any time.