React2Shell is the name given by researchers to a high-severity remote code execution (RCE) vulnerability affecting React Server Components (RSC). The flaw, tracked as CVE-2025-55182, was discovered by security researcher Lachlan Davidson and privately reported to the React team on November 29, 2025.
At the heart of the issue is a critical weakness in the React “Flight” protocol, which handles serialization and data transfer between server and client during RSC operations. Due to unsafe deserialization, attackers can send specially crafted HTTP requests that trigger arbitrary code execution on the server—without authentication and without any user involvement.
Because the bug enables full server compromise, it has earned a maximum CVSS score of 10.0, placing it among the most severe vulnerabilities ever reported in the React ecosystem.
A related identifier, CVE-2025-66478, has been assigned for impacts in Next.js, although NVD validation is still pending. Public PoCs surfaced quickly, and exploitation has already been observed—including activity attributed to China-nexus state-aligned threat actors.
Technical Breakdown
React2Shell abuses insecure deserialization inside the React Flight protocol, which is responsible for managing server-side rendering and transporting serialized component data.
How the exploit works
- An attacker sends manipulated RSC requests (for example, server actions or dynamic rendering endpoints).
- The server deserializes this data without validation.
- This malformed payload executes arbitrary code on the server.
This attack path is especially dangerous because:
- Even default Next.js apps (e.g., created via create-next-app) can be vulnerable.
- Exploitation is easy and unauthenticated.
- Successful compromise can lead to:
- Backdoor installation
- Credential theft
- Data exfiltration
- Lateral movement across internal systems
The flaw impacts several core libraries powering RSC:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Affected Software
React Versions
- 19.0
- 19.1.0
- 19.1.1
- 19.2.0
Next.js
- All 15.x and 16.x versions using the App Router, which internally relies on RSC.
Other frameworks
Any framework or tool that implements RSC or the Flight protocol may also be impacted.
It’s important to note: React apps without server-side RSC features are not affected.
But given the widespread adoption of React and Next.js, thousands of production applications remain at risk.
Exploitation Timeline and Real-World Impact
Public proof-of-concept exploits appeared on December 3, 2025, and attackers began using them almost immediately. Major cloud and monitoring providers—including AWS and Datadog—have confirmed active exploitation in the wild.
The U.S. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) list on December 5, 2025, signaling rapid weaponization.
Threat actors abusing this vulnerability
- Opportunistic attackers
- Ransomware operators
- State-linked groups (notably China-nexus actors)
Indicators of compromise
- Unexpected spawning of Node.js child processes
- Strange or malformed RSC/Flight requests
- Unusual outbound connections or data exfiltration behavior
Mitigation & Security Recommendations
1️⃣ Patch Immediately
Apply the vendor-released fixes:
- React: Update to 19.2.1 or higher
- Next.js: Update to 15.1.1, 16.0.1, or newer
Always review the official advisories for your environment.
2️⃣ Detect and Monitor
- Use Burp Suite, WAF logs, or custom scanners to flag unsafe RSC endpoints.
- Enable enhanced logging for:
- RSC request patterns
- Server action endpoints
- Node.js process activity
3️⃣ Temporary Workarounds (If Patching Is Delayed)
- Restrict access to RSC endpoints using:
- IP allowlists
- Reverse proxies
- Validate or sanitize incoming serialized data
- Disable non-essential RSC features temporarily
4️⃣ Follow Best Practices
- Conduct internal vulnerability scans
- Review dependency versions across all environments
- Perform incident response if compromise is suspected.