React2Shell: Hot December for React and Next.js as Critical 10.0 CVSS Vulnerability Hits RSC

Brendan Smith
Brendan Smith - Cybersecurity Analyst
7 Min Read
A hot December for React and Next.js
A hot December for React and Next.js

CVE-2025-55182 dropped yesterday evening, and predictably, everyone’s losing their minds. Cloudflare rolling out emergency WAF rules, Unit 42 counting nearly a million vulnerable servers, Wiz reporting 40% of cloud infrastructure exposed — all the usual suspects chiming in. The vulnerability affects default configurations across multiple frameworks including Next.js, React Router, Waku, and others; exploitation is possible in any library that simply supports RSC. Unsafe deserialization of payloads, malicious request leads to RCE. Mass exploitation is inevitable, patch analysis is already underway right now, and half the web runs on React and its frameworks. In other words, it might be time to start applying patches.

The name alone is catchy: React2Shell. But behind the marketing, there’s a genuinely nasty vulnerability earning its perfect 10.0 CVSS score. This isn’t some theoretical edge case requiring exotic configurations — it hits default setups, requires no authentication, and works over plain HTTP.

The flaw lives in React Server Components’ handling of serialized payloads. Specifically, unsafe deserialization in the React Flight protocol. An attacker crafts a malicious HTTP POST request to any Server Function endpoint, React deserializes it without proper validation, and boom — arbitrary JavaScript execution on the server with Node.js process privileges.

The technical culprit is the requireModule function in the react-server-dom-webpack package. By weaponizing vm.runInThisContext, attackers can force React to execute malicious code supplied in the payload. Upwind’s deep dive explains that while React itself doesn’t expose the vulnerable endpoint, Next.js absolutely does, turning theoretical vulnerability into real remote attack surface.

The Blast Radius

This affects React Server Components packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Patches are available in versions 19.0.1, 19.1.2, and 19.2.1. Security researcher Lachlan Davidson from New Zealand discovered and reported the issue to Meta on November 29, 2025.

For Next.js using App Router, the vulnerability is present in versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5. Initially assigned CVE-2025-66478, it was later rejected by NIST as a duplicate of CVE-2025-55182.

But wait, there’s more. Any library bundling RSC is potentially vulnerable: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, Waku. The ecosystem damage extends far beyond just React and Next.js.

Wiz’s analysis found 39% of cloud environments have instances vulnerable to this CVE. Palo Alto Networks Unit 42 identified over 968,000 servers running affected frameworks. That’s not vulnerable repositories or codebases — that’s actual servers exposed to the internet, ready to be exploited.

Justin Moore from Unit 42 nailed it: “This is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures. The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input.”

Translation: Your application isn’t broken. It’s doing exactly what it’s supposed to do. The problem is what you’re asking it to handle.

The Industry Scramble

Cloud providers and security vendors moved fast. Cloudflare deployed WAF rules protecting all customers (free and paid) as long as React traffic is proxied through their service. Akamai, AWS, Fastly, and Google Cloud all rolled out similar protections.

Multiple security firms published detailed analyses: Endor Labs, Miggo Security, VulnCheck, Aikido, and OX Security all emphasized the same point: no special setup required, exploitable without authentication, affects default configurations.

What to Do Right Now

If you’re running React Server Components or Next.js with App Router:

  1. Patch immediately — update to the fixed versions listed above
  2. Deploy WAF rules if patching takes time (and if you have WAF infrastructure)
  3. Monitor HTTP traffic to Server Function endpoints for suspicious payloads
  4. Consider temporary network restrictions to affected applications until patches are deployed
  5. Check your dependencies — if you’re using Vite, Parcel, React Router, RedwoodJS, Waku or similar, verify their RSC implementations

How to Patch?

Run the following in your terminal:

# For Next.js Users (npm)
npm install next@latest react@latest react-dom@latest

# For Next.js Users (yarn)
yarn upgrade next react react-dom

The React Team’s official advisory is clear: “Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components.”

The Supply Chain Reality

This vulnerability highlights modern web development’s fundamental challenge: framework trust. React Server Components were meant to improve performance and developer experience. Instead, they introduced a deserialization vulnerability affecting millions of applications.

The issue wasn’t in some obscure optional feature. It was in the core protocol handling, affecting default configurations. You didn’t need to misconfigure anything or enable experimental flags. Just using RSC the way it was designed made you vulnerable.

Exploit development is happening right now. Security researchers are analyzing patches to reverse-engineer attack methods. Proof-of-concept code will be public soon if it isn’t already. With nearly a million exposed servers identified, automated scanning and mass exploitation are inevitable.

React moved from Meta to the React Foundation in October 2025. This is one of their first major security incidents under the new governance. How they handle communication, coordination, and future prevention will set the tone for the foundation’s credibility.

For now, the message is simple: patch. This isn’t theoretical. This isn’t low-severity. This is a maximum CVSS score vulnerability in one of the web’s most popular frameworks, affecting default configurations, requiring no authentication, and trivial to exploit.

Half the web runs on React. If you’re part of that half, it’s time to update.

MITRE NERVE Hacked, Service Taken Offline
The Alarming Rise of DeepSeek Scams
FBI Kept Secret Key To Decrypt Data After REvil Attacks
SGAxe attack endangers Intel processors
Xhelper Trojan remains on the device even after resetting to factory settings
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article SmartTube was Hacked SmartTube YouTube Client Hacked: Your Ad-Free TV App Just Became a Botnet
Next Article react2shell exploitation china apt React2Shell Exploitation Goes Live: Chinese APT Groups Strike
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?