React2Shell: Critical RCE Vulnerability in React Server Components
December 9, 2025
by ODD4 Team
On December 3, 2025, Meta disclosed CVE-2025-55182, a critical vulnerability in React Server Components that allows unauthenticated remote code execution. Security researchers have dubbed it React2Shell, and with a CVSS score of 10.0, it represents the most severe type of vulnerability possible. If you're running React 19 with Server Components or Next.js with the App Router, you need to patch immediately.
#What Is React2Shell?
React2Shell is an unsafe deserialization vulnerability in how React Server Components handle incoming payloads. The flaw exists in the RSC "Flight" protocol, which is responsible for serializing and deserializing data between the server and client.
When a server receives a specially crafted HTTP request, it fails to properly validate the payload structure. This allows attacker-controlled data to influence server-side execution, resulting in arbitrary code execution on your server.
The vulnerability was discovered by security researcher Lachlan Davidson on November 29, 2025, and responsibly disclosed through Meta's bug bounty program.
#Why This Is Serious
Several factors make React2Shell particularly dangerous:
No authentication required. An attacker doesn't need credentials, session tokens, or any user interaction. The malicious payload targets the Flight protocol, which is processed before your application's authentication logic runs.
Default configurations are vulnerable. A standard project generated with create-next-app is immediately exposed, even without any custom code. The vulnerable App Router is enabled by default in Next.js.
Near-100% exploitation success rate. Testing indicates the exploit works reliably against default configurations without requiring any modifications.
Active exploitation in the wild. As of December 8, 2025, security firms have observed exploitation attempts using malicious payloads. Attackers have been deploying remote access tools, reverse shells, and connecting to command-and-control servers. Amazon Threat Intelligence has linked some exploitation attempts to state-sponsored threat groups leveraging public exploits within hours of their release.
#Are You Affected?
You are vulnerable if you're using any of these affected versions:
#React Packages
The vulnerability exists in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
#Next.js
Affected versions include:
- 15.0.4 and below
- 15.1.8 and below
- 15.2.5 and below
- 15.3.5 and below
- 15.4.7 and below
- 15.5.6 and below
- 16.0.6 and below
- Canary versions 14.3.0-canary.77 and later
#Other Affected Frameworks
Any framework bundling React Server Components is potentially affected:
- React Router (RSC preview)
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- RedwoodSDK (rwsdk)
#You Are NOT Affected If
- You don't use React Server Components
- You don't use a framework or bundler that supports React Server Components
- You only run React code on the client side
- You're using React 18 or earlier without RSC support
#How to Patch
There is no workaround for this vulnerability. You must upgrade to a patched version.
#React Packages
Upgrade to one of these fixed versions:
- 19.0.1 or later
- 19.1.2 or later
- 19.2.1 or later
npm install react@latest react-dom@latest
npm install react-server-dom-webpack@latest#Next.js
Upgrade to the patched version for your release line:
# For 15.0.x
npm install [email protected]
# For 15.1.x
npm install [email protected]
# For 15.2.x
npm install [email protected]
# For 15.3.x
npm install [email protected]
# For 15.4.x
npm install [email protected]
# For 15.5.x
npm install [email protected]
# For 16.0.x
npm install [email protected]If you're using Next.js 14 canary versions (14.3.0-canary.77 or later), downgrade to stable:
npm install next@14#Other Frameworks
For React Router with RSC:
npm install react@latest react-dom@latest react-server-dom-parcel@latestFor Waku:
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latestFor RedwoodSDK:
npm install rwsdk@latest react@latest react-dom@latest react-server-dom-webpack@latest#After Patching
Once you've upgraded and redeployed your application, you should rotate all application secrets. If your server was compromised before patching, attackers may have extracted environment variables, API keys, database credentials, or other sensitive data.
Consider the following steps:
- Rotate database passwords and connection strings
- Regenerate API keys for third-party services
- Rotate session secrets and JWT signing keys
- Review server logs for suspicious activity
- Check for unauthorized files or processes on your servers
#Understanding the Broader Context
React2Shell highlights a growing concern with server-side JavaScript vulnerabilities. As frameworks like Next.js push more logic to the server through features like Server Components and Server Actions, the attack surface expands significantly.
This isn't unique to React. Server-side rendering and server components in any framework introduce risks that don't exist in purely client-side applications. When your JavaScript runs on a server with access to databases, file systems, and internal networks, the consequences of a vulnerability are far more severe.
#General React Security Practices
While React2Shell is the most urgent threat right now, it's worth reviewing general React security practices:
Input validation. Never trust user input. Sanitize and validate all data on the server side, even if you have client-side validation.
Avoid dangerouslySetInnerHTML. This API exists for a reason, but it opens the door to XSS attacks if you're not careful. If you must use it, sanitize the HTML with a library like DOMPurify.
Keep dependencies updated. Run npm audit regularly and address vulnerabilities promptly. Many React applications have dozens or hundreds of dependencies, each a potential attack vector.
Implement proper CSRF protection. Server Actions and form submissions need CSRF tokens to prevent cross-site request forgery.
Secure your build pipeline. Ensure your CI/CD pipeline doesn't expose secrets and uses pinned dependency versions.
#Timeline
| Date | Event |
|---|---|
| November 29 | Vulnerability reported via Meta Bug Bounty |
| November 30 | Meta security team confirmed the issue |
| December 1 | Fix developed and rolled out to hosting providers |
| December 3 | Fix published to npm, CVE-2025-55182 disclosed |
| December 4 | Proof-of-concept exploit published |
| December 4 | Active exploitation attempts observed |
#The Bottom Line
CVE-2025-55182 is as serious as vulnerabilities get. With a perfect CVSS score, unauthenticated exploitation, and active attacks in the wild, this requires immediate action. Check your React and Next.js versions today, upgrade to patched releases, and rotate your secrets.
Don't wait for your normal patch cycle. The exploit is public, attacks are happening, and every hour your application remains unpatched is another hour of exposure.
