Just in Time Bulletin: CVE-2025-55182 Critical Remote Code Execution Vulnerability in React Server Components

What is CVE-2025-55182?

CVE-2025-55182, dubbed React2Shell, is a critical, maximum-severity Remote Code Execution (RCE) vulnerability found in the core components of the React Server Components (RSC) ecosystem. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the server, making it one of the most severe web framework vulnerabilities in recent history.

It is a pre-authentication Remote Code Execution vulnerability in the React Server Components (RSC) framework and related packages. It was discovered by security researcher Lachlan Davidson and publicly disclosed on December 3, 2025.

The vulnerability stems from an issue with unsafe deserialization in the React “Flight” protocol, which is used for communication between the client and server components. An attacker can exploit this by crafting a malicious HTTP request that, when processed by the server, bypasses security validation and leads to the execution of arbitrary code.

Key aspects of the vulnerability:

Attack Mechanism:

The vulnerability is a logical deserialization flaw. The RSC “Flight” protocol relies on the server to safely decode and process payloads received from the client. Vulnerable versions of the React Server Components packages (specifically react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) fail to adequately validate the structure of the incoming data.

An unauthenticated attacker can send a specially crafted HTTP POST request, often targeting an existing server function endpoint. The malicious payload contains a structure that, during the unsafe deserialization process, can be leveraged to gain control over the server’s internal execution context, allowing the attacker to call privileged functions like child_process.execSync to run arbitrary system commands.

Impact:

Successful exploitation results in unauthenticated Remote Code Execution (RCE) on the vulnerable server. This provides the attacker with the ability to:

• Compromise Infrastructure: Gain full access to the server, including the filesystem and environment variables (which may contain sensitive credentials like API keys).
• Data Exfiltration: Steal customer data, source code, and intellectual property.
• Lateral Movement: Use the compromised server as a pivot point to launch attacks against other internal network resources.
• Malware Installation: Deploy sophisticated, persistent backdoors, or, as observed in the wild, cryptominers and credential harvesting tools.

How bad is this?

According to the Common Vulnerability Scoring System (CVSS), CVE-2025-55182 has been assigned the maximum possible severity rating:

Who is affected by this?

The vulnerability affects Node.js applications that use React Server Components (RSC). The affected packages and versions are:

Major Frameworks and Ecosystems Impacted:

The vulnerability is inherited by popular frameworks that utilize RSC, most notably:

• Next.js: Versions 15.x and 16.x when using the App Router (which enables RSC by default).
• Other Frameworks: React Router with RSC APIs, Expo, RedwoodSDK, and Waku.

How is it exploited?

The exploit is remote and unauthenticated, meaning an attacker can compromise a vulnerable server simply by sending a malicious HTTP POST request. This request contains a specially crafted RSC payload (often a modified JSON structure) to a server function endpoint. The vulnerable server-side deserialization logic interprets this malicious input as a legitimate internal structure, allowing the attacker to inject and execute system commands.

How do I protect myself?

The primary and most effective defense is to patch immediately.

1. Upgrade React Server Component Packages: Ensure you are running the latest patched versions of the affected packages: 19.0.1, 19.1.2, or 19.2.1 (or newer).
2. Upgrade Next.js Framework: If you are using Next.js with the App Router, upgrade to one of the following fixed versions (or newer):
   • Next.js 15.0.5+
   • Next.js 16.0.7+

Mitigating factors?

While immediate patching is critical, the following defense-in-depth measures can help limit the potential impact of this and similar RCE vulnerabilities:

• WAF Protections: Cloud providers (like AWS and Google Cloud) have released specific Web Application Firewall (WAF) rules to detect and block known exploit patterns for React2Shell. Deploying and enabling these rules provides an immediate layer of network defense.
• Principle of Least Privilege: Run your Node.js/Next.js application processes with the absolute minimum privileges necessary. In the event of a successful RCE, this restricts the attacker’s ability to move laterally or modify critical system files.
• Container/Serverless Isolation: Deploying applications in secure, isolated environments (e.g., containers, serverless functions) with restricted network access and capabilities can limit the scope of compromise.

Additional Resources:

• React Security Advisory on CVE-2025-55182
  https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• Wiz Research: React2Shell: Technical Deep-Dive & In-the-Wild Exploitation
  https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive
• CISA Known Exploited Vulnerabilities Catalog
  https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
• NVD – CVE-2025-55182 Detail
  https://nvd.nist.gov/vuln/detail/CVE-2025-55182