React2Shell is the name given by security researchers to a critical vulnerability (CVE-2025-55182) in React Server Components (RSC), a feature of the React JavaScript library for building user interfaces. Discovered by researcher Lachlan Davidson and disclosed to the React team on November 29, 2025, it enables unauthenticated remote code execution (RCE) on affected servers. The vulnerability stems from unsafe deserialization in React’s “Flight” protocol, which handles server-side rendering and data serialization for RSC payloads. This allows attackers to craft malicious HTTP requests that, when processed, execute arbitrary code on the server without needing authentication or user interaction.
Technical Details
At its core, React2Shell exploits insecure deserialization in the RSC “Flight” protocol. When a server processes incoming RSC requests (e.g., for server actions or dynamic rendering), it deserializes data without proper validation. An attacker can inject malicious payloads into these requests, leading to RCE. This is particularly dangerous in default configurations of affected applications, as even basic setups created with tools like create-next-app can be vulnerable. Exploitation is straightforward: a remote attacker sends a specially crafted request to an RSC endpoint, triggering code execution that could install backdoors, steal credentials, exfiltrate data, or enable lateral movement within networks.
The vulnerability affects the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack libraries, which power RSC functionality.
Affected Versions and Software
• React: Versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
• Next.js: Versions 15.x and 16.x using the App Router (which relies on RSC).
• Other Frameworks: Any that implement RSC or the Flight protocol, including third-party components built on React.
Not all React applications are impacted—only those using server-side RSC features. However, given React’s widespread use (powering much of the modern web), many production environments are at risk.
Exploitation and Real-World Impact
Exploits surfaced publicly around December 3, 2025, and attacks began shortly after. Security firms like AWS and Datadog have reported active exploitation, with CISA adding it to its Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025. Ransomware groups and nation-state actors are expected to weaponize it rapidly, similar to Log4Shell. Indicators of compromise include suspicious Node.js process spawning, abnormal RSC requests, or unexpected outbound connections from servers.
Mitigation and Recommendations
• Patch Immediately: Upgrade to React 19.2.1 or later, and Next.js 15.1.1 or 16.0.1 (or the latest stable versions). Check vendor advisories for full details.
• Detection: Use tools like Burp Suite to scan for vulnerable endpoints. Monitor for exploit attempts via web application firewalls (WAFs) blocking RSC payloads.
• Workarounds: If patching isn’t immediate, restrict access to RSC endpoints (e.g., via IP whitelisting) and validate incoming requests for deserialization risks.
• Best Practices: Conduct vulnerability scans, review dependencies, and hunt for signs of compromise. Organizations suspecting breach should engage incident response teams.
For the official advisory, visit the React2Shell site or React’s security page. This vulnerability underscores the risks of server-side JavaScript frameworks—prompt action is essential to avoid compromise.