React2Shell: Critical 10.0 CVSS RCE Flaw in React and Next.js Under Active Exploitation

Critical 'React2Shell' RCE Vulnerability (CVE-2025-55182) in React Server Components Sparks Widespread Emergency Patching

CRITICAL
December 4, 2025
December 11, 2025
6m read
VulnerabilityCyberattackThreat Intelligence

Related Entities(initial)

Threat Actors

Earth LamiaJackpot Panda

Products & Tech

React Next.js ViteParcel

Other

Amazon

CVE Identifiers

CVE-2025-55182
CRITICAL
CVSS:10
CVEDetails.com CVE.org
CVE-2025-66478
NONE
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1505.003Persistence

Server Software Component

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1210Lateral Movement

Exploitation of Remote Services

Full Report(when first published)

Executive Summary

A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182 and nicknamed 'React2Shell', has been discovered in the core implementation of React Server Components (RSC). The flaw, which has a CVSS score of 10.0 (Critical), affects any application using vulnerable versions of react-server-dom-* packages, including modern instances of the popular Next.js framework. The vulnerability allows a remote attacker to execute arbitrary code on the server by sending a specially crafted HTTP request, with no authentication or user interaction required. Following its public disclosure on December 3, 2025, weaponized exploits were released, and active scanning and exploitation attempts have been detected in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the immediate and severe risk to a vast number of web applications. Organizations are urged to apply patches immediately.

Vulnerability Details

The vulnerability resides in the 'Flight' protocol used by React Server Components for server-client communication. Specifically, it is an unsafe deserialization flaw in how React's server-side components decode payloads sent to React Server Function endpoints. An attacker can craft a malicious payload that, when processed by the server, leads to arbitrary code execution. A crucial aspect of this vulnerability is that an application does not need to have explicitly defined any server functions to be exploitable. The mere presence and default configuration of RSC support in frameworks like Next.js is sufficient to expose the server to this attack vector. This makes the attack surface incredibly broad, as many developers may be unaware their applications are vulnerable.

Security researchers at Wiz demonstrated a reliable proof-of-concept, and multiple PoCs have since been made public, significantly lowering the barrier for malicious actors to launch attacks. The vulnerability was responsibly disclosed by researcher Lachlan Davidson on November 29, 2025, with patches developed by the React team and Meta before the public announcement.

Affected Systems

The vulnerability impacts a wide range of tools and frameworks in the React ecosystem. Organizations must check their dependencies for the following packages and versions:

  • react-server-dom-webpack: Versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-parcel: Versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • react-server-dom-turbopack: Versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • Next.js: Versions 15.x, 16.x, and Canary builds from 14.3.0
  • Other affected tools include: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, Redwood SDK, and Waku.

Patched Versions:

  • React Packages: 19.0.1, 19.1.2, 19.2.1
  • Next.js: 16.0.7, 15.5.7, and others. Users should update to the latest available version.

Exploitation Status

Active exploitation of CVE-2025-55182 is confirmed. Within hours of the public disclosure, multiple threat intelligence firms, including Amazon, reported observing widespread scanning and exploitation attempts. The activity has been linked to known threat actors, including China-nexus groups such as Earth Lamia and Jackpot Panda. The public availability of weaponized exploits means that attacks are likely to escalate rapidly. On December 5, 2025, CISA added the vulnerability to its KEV catalog, confirming it as a clear and present danger being used in active attacks.

Impact Assessment

The impact of a successful exploit is severe, granting attackers full control over the compromised server. This can lead to:

  • Complete System Compromise: Attackers can install backdoors, ransomware, or cryptominers.
  • Data Theft: Sensitive data stored on the server or in connected databases can be exfiltrated.
  • Pivoting: The compromised server can be used as a beachhead to launch further attacks into the internal network.
  • Reputational Damage: A public breach can erode customer trust and lead to significant financial loss.

Given that Next.js is one ofthe most popular web development frameworks, the number of vulnerable internet-facing systems is estimated to be in the hundreds of thousands, if not millions. The ease of exploitation and the lack of required authentication make this one of the most significant web vulnerabilities of the year.

Cyber Observables for Detection

Security teams should proactively hunt for signs of compromise. These are not confirmed IOCs but indicators for threat hunting:

Type Value Description
url_pattern /_next/data/ Monitor for unusual or malformed requests to Next.js data routes.
http_header RSC Analyze RSC headers in incoming HTTP requests for anomalous or malicious-looking payloads.
process_name node Monitor node processes for unexpected child processes (e.g., sh, bash, powershell.exe), high CPU usage, or outbound network connections to suspicious IPs.
log_source Web Server Access Logs Scrutinize logs for HTTP requests with large or unusually encoded payloads, especially those targeting server function endpoints. Look for 5xx server errors that may indicate failed exploit attempts.
file_path /tmp/ Monitor for unexpected files being written or executed from temporary directories by the web server process.

Detection & Response

  • Web Application Firewall (WAF): Deploy WAF rules to inspect and block requests containing known malicious payloads targeting RSC endpoints. Many vendors are releasing emergency rulesets for React2Shell.
  • Endpoint Detection and Response (EDR): Monitor web server processes (e.g., node) for anomalous behavior, such as spawning shell processes or making unexpected network connections. This is critical for detecting post-exploitation activity. D3FEND's D3-PA: Process Analysis can be implemented here.
  • Network Traffic Analysis: Monitor for suspicious outbound connections from web servers. Attackers will often establish a C2 channel after a successful exploit. D3FEND's D3-NTA: Network Traffic Analysis is a key technique.
  • Log Analysis: Correlate web server access logs with EDR process logs to trace suspicious requests through to potential execution on the host. Look for patterns of scanning from single IP addresses across multiple web applications.

Remediation Steps

  1. Immediate Patching: The highest priority is to update all affected components to their patched versions. Use package managers (npm, yarn, pnpm) to update react-server-dom-* and next packages.
    # For Next.js projects using npm
npm install next@latest
  2. Verify Dependencies: Use tools like npm ls or yarn list to ensure that no transitive dependencies are pulling in vulnerable versions of the React packages. Snyk and other SCA tools can automate this.
  3. Apply WAF Mitigations: If patching cannot be performed immediately, apply virtual patching rules through a WAF to block known exploit patterns. This should be considered a temporary compensating control, not a substitute for patching.
  4. Review Server Configurations: As a long-term strategy, restrict the attack surface by ensuring that only necessary ports and services are exposed to the internet. D3FEND's D3-AH: Application Hardening is a relevant countermeasure.

Timeline of Events

1
November 29, 2025
Security researcher Lachlan Davidson responsibly discloses the vulnerability to the React team.
2
December 1, 2025
The React team and Meta develop a fix for the vulnerability.
3
December 3, 2025
The vulnerability (CVE-2025-55182) is publicly disclosed. Active scanning and exploitation attempts are observed within hours.
4
December 4, 2025
Multiple weaponized proofs-of-concept become publicly available.
5
December 4, 2025
This article was published
6
December 5, 2025
CISA adds CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog.

Article Updates

December 11, 2025

New DoS and source code leak flaws discovered in React Server Components, requiring immediate re-patching for users who addressed React2Shell.

Update Sources:
react.devDenial of Service and Source Code Exposure in React Server Components
bleepingcomputer.comReact team discloses new DoS and source code exposure vulnerabilities

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to update all affected React and Next.js packages to the latest patched versions.

Network Intrusion Prevention

M1031enterprise

Use a Web Application Firewall (WAF) or IPS with updated signatures to perform virtual patching by blocking malicious requests.

Application Isolation and Sandboxing

M1048enterprise

Running web applications in containerized environments can help limit the blast radius of a successful compromise.

Audit

M1047enterprise

Ensure comprehensive logging of web server, application, and host events to detect and investigate potential exploitation.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most critical and effective countermeasure is to immediately update all affected packages. For projects using Next.js, run npm install next@latest or the equivalent command for your package manager. For other projects, identify and update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to versions 19.0.1, 19.1.2, or 19.2.1 and later. Utilize software composition analysis (SCA) tools like Snyk or Dependabot to scan your codebase and CI/CD pipelines to automatically identify and flag vulnerable dependencies. Prioritize internet-facing applications for patching, followed by internal systems. After patching, verify the update by checking the lock files (package-lock.json, yarn.lock) to ensure the vulnerable versions have been fully removed from the dependency tree.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1031
D3FEND

As a temporary or defense-in-depth measure, configure your Web Application Firewall (WAF) or Intrusion Prevention System (IPS) to block exploit attempts against CVE-2025-55182. Most major WAF vendors (Cloudflare, AWS WAF, Akamai) have released emergency rulesets that detect the specific patterns used in public PoCs. These rules typically inspect the body of HTTP POST requests for malicious serialized object payloads targeting React Server Function endpoints. While this provides a valuable layer of protection, it should not be relied upon as the sole mitigation, as attackers may develop new bypass techniques. This filtering should be applied at the network edge, in front of all applications running Next.js or other vulnerable RSC implementations.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Deploy and configure an Endpoint Detection and Response (EDR) agent on all servers hosting vulnerable applications. The primary goal is to detect post-exploitation behavior. Create detection rules that alert on the node process (or other web server process) spawning anomalous child processes, especially shells like sh, bash, cmd.exe, or powershell.exe. Also monitor for the node process making outbound network connections to unknown IP addresses or domains, which could indicate C2 communication. Establishing a baseline of normal process behavior for your application is key to reducing false positives. This technique is crucial for identifying a compromise if WAF filtering fails or is bypassed.

Sources & References(when first published)

Security Advisory: Critical RCE Vulnerabilities in React Server Components (CVE-2025-55182)
Snyk (snyk.io) December 3, 2025
Critical RCE Vulnerabilities Discovered in React & Next.js
Wiz (wiz.io) December 3, 2025
React2Shell (CVE-2025-55182) - Critical unauthenticated RCE affecting React Server Components
Rapid7 (rapid7.com) December 4, 2025
Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
The Hacker News (thehackernews.com) December 3, 2025
Critical Security Vulnerability in React Server Components
CERT-EU (cert.europa.eu) December 4, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

RCEReactNext.jsCVE-2025-55182KEVZero-DayDeserializationWeb Security

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next