On December 3, 2025, the React team disclosed one of the most severe vulnerabilities in the framework's history: CVE-2025–55182, better known as React2Shell. With a maximum CVSS score of 10.0, this critical remote code execution vulnerability has sent shockwaves through the development community. If you're running React Server Components, Next.js, or related frameworks, this is something you need to understand immediately.

What Is React2Shell?

React2Shell is an unsafe deserialization vulnerability in React Server Components that allows attackers to execute arbitrary code on vulnerable servers. The flaw exists in how React's "Flight protocol" handles incoming payloads, specifically in the react-server package.

The Scary Part

What makes this vulnerability particularly alarming is that exploitation can occur even if you're not actively using React Server Function endpoints. The vulnerability exists in the default configuration of affected applications, meaning a standard Next.js app created with create-next-app can be exploited with no code changes by the developer.

Key Facts:

  • CVSS Score: 10.0 (Critical)
  • Authentication Required: None
  • User Interaction: None
  • Attack Complexity: Low
  • Public Exploits: Available and actively being used in the wild

Who's Affected?

The vulnerability impacts a broad ecosystem of frameworks and tools:

Directly Affected:

  • React 19 versions: 19.0, 19.1.0, 19.1.1, and 19.2.0
  • Next.js: Versions 15.x through 16.x (and certain 13.x/14.x canary releases)
  • React Router: If using unstable RSC APIs
  • Other frameworks: Waku, Expo, Redwood SDK, Vite (with RSC plugins), Parcel

The Scale

According to the 2024 State of JavaScript survey, React is used by 82% of respondents. Next.js alone is used by approximately 18–20% of developers. This makes React2Shell one of the most widespread vulnerabilities in recent history.

How the Attack Works

The vulnerability exploits React's deserialization logic in the Flight protocol. Here's a simplified breakdown:

  1. Malicious Payload Construction: The attacker crafts a specially formatted HTTP POST request containing a malicious payload
  2. Unsafe Deserialization: The React server processes this payload without properly validating its structure
  3. Code Execution: Through a series of self-referencing "gadget chains," the attacker gains the ability to execute arbitrary JavaScript on the server
  4. Full Compromise: With code execution achieved, attackers can read files, access cloud metadata, steal credentials, or install backdoors

Why It's So Dangerous

In Next.js specifically, any application with the App Router feature exposes the vulnerable endpoint simply by having the next-action header present. There's no need to guess action names or find specific endpoints—the attack surface is wide open by default.

Active Exploitation in the Wild

Security researchers have observed widespread exploitation attempts within hours of the vulnerability's disclosure:

Attack Patterns Observed:

  • Reconnaissance: Environment discovery, hostname enumeration, and DNS-based beaconing
  • Credential Harvesting: Systematic dumping of AWS credentials, npm tokens, SSH keys, and environment variables
  • Cloud Metadata Access: Attempts to access 169.254.169.254 for IAM credentials
  • Cryptomining: Deployment of XMRig and other cryptocurrency miners
  • Backdoors: Installation of Sliver implants and persistent access tools

According to Amazon Threat Intelligence, exploitation attempts linked to nation-state actors were detected within hours of public disclosure, with some campaigns showing suspected ties to Chinese state-nexus threat groups.

How to Protect Yourself

Immediate Actions Required:

1. Upgrade Immediately

For React, upgrade to patched versions:

  • 19.0.1 (for 19.0 users)
  • 19.1.2 (for 19.1.x users)
  • 19.2.1 (for 19.2.x users)

For Next.js, upgrade to:

  • 14.2.35 (for versions 13.3.x through 14.x)
  • 15.1.4 (for 15.x users)

2. Run Security Audits

Execute npm audit in your project directory to identify vulnerable dependencies:

npm audit

3. Check for Compromise

Look for signs of exploitation:

  • Unusual outbound network connections
  • New processes running as system services
  • Unexplained files in /tmp or /var/tmp
  • Suspicious environment variable access patterns

Detection Mechanisms

A high-fidelity detection method involves sending a specific test payload and checking for a 500 status code with E{"digest" in the response. However, this should only be done by security professionals on systems you own.

Beyond the Immediate Fix

While patching is critical, organizations should also:

  1. Review Cloud Security Posture: Ensure proper IAM policies and least-privilege access
  2. Implement Runtime Protection: Deploy application security monitoring solutions
  3. Harden Container Security: If running in containers, implement proper network segmentation and resource limits
  4. Monitor for IOCs: Security vendors have published indicators of compromise — integrate these into your security monitoring

Lessons Learned

React2Shell highlights several important security principles:

  1. Supply Chain Security Matters: Even the most popular frameworks can have critical vulnerabilities
  2. Default Configurations Can Be Dangerous: Security should be "on by default"
  3. Serialization Is Hard: Deserializing untrusted data remains one of the most dangerous operations in software
  4. Patch Quickly: With public exploits and active exploitation, the window for safe patching is measured in hours, not days

Looking Forward

The React team and Meta's security organization responded quickly with patches and coordinated disclosure. Major hosting providers like Vercel deployed WAF rules to provide temporary protection (though upgrading is still essential).

However, the breadth of the React ecosystem means that many applications running vulnerable versions will remain unpatched for months. If you're a security professional, this vulnerability should be at the top of your priority list for scanning and remediation.

Conclusion

CVE-2025–55182 represents a perfect storm: maximum severity, ease of exploitation, massive install base, and active exploitation in the wild. If you're running React Server Components or Next.js in production, stop reading and patch now.

The vulnerability serves as a stark reminder that even mature, well-maintained frameworks can harbor critical security flaws. Stay vigilant, keep dependencies updated, and maintain robust security monitoring because the next React2Shell could be just around the corner.

Resources:

Stay Safe! 🔒

Have you patched your applications yet? Share your experiences in the comments below.