Critical 'React2Shell' Vulnerability Found
A major security advisory has been issued for React Server Components (RSC), dubbed React2Shell (CVE-2025-55182). The vulnerability allows for pre-authentication remote code execution and could affect Next.js apps using early or poorly secured RSC implementations.
The vulnerability, officially disclosed on December 3, 2025, stems from a flaw in how React Server Components handle data deserialization. It has been assigned a CVSS score of 10.0, the highest possible severity rating, reflecting the ease of exploitation and potential impact. At its core, the issue lies within the React "Flight" protocol, which is used for communication between the client and the server. The protocol's server-side decoding mechanism fails to properly validate incoming data, allowing an attacker to inject and execute arbitrary code by sending a single, specially crafted HTTP request. This is a pre-authentication vulnerability, meaning an attacker does not need any credentials to exploit it. Default configurations of popular frameworks like Next.js are vulnerable, making any unpatched application an immediate target without any specific developer error or misconfiguration. Exploitation was observed in the wild by Google's Threat Intelligence Group as early as December 5, 2025, just two days after public disclosure. Attackers have ranged from opportunistic cybercriminals deploying cryptocurrency miners to suspected state-sponsored espionage groups. The flaw affects React versions 19.0.0 through 19.2.0 and impacts frameworks that utilize RSC, most notably Next.js versions 15 and 16. Patches have been issued, and security teams recommend immediate upgrades for all affected applications. Due to the widespread use of React and Next.js, the potential attack surface is massive; one security foundation identified over 165,000 vulnerable IP addresses and 644,000 domains within a week of the disclosure. The public availability of proof-of-concept exploit code has further accelerated the rate of attacks. While the primary vulnerability is tracked as CVE-2025-55182, the downstream impact on Next.js was initially assigned a separate identifier, CVE-2025-66478, which has since been merged. As a temporary mitigation for those unable to patch immediately, security experts suggest deploying Web Application Firewall (WAF) rules to block known malicious request patterns.
