Critical React2Shell Vulnerability Exposes React Server Components to Remote Code Execution
In December 2025, a critical security flaw, designated as CVE-2025-55182 and colloquially known as React2Shell, was identified within React Server Components (RSC). This vulnerability, assigned a maximum CVSS severity score of 10.0, enables unauthenticated remote code execution (RCE) on servers utilizing affected versions of React and associated frameworks.
Understanding the React2Shell Vulnerability
React Server Components facilitate server-side rendering in React applications, enhancing performance and user experience. However, the React2Shell vulnerability arises from unsafe deserialization processes within the RSC Flight protocol. Specifically, the server fails to adequately validate incoming payloads, allowing attackers to inject malicious structures that React processes as legitimate. This oversight can lead to prototype pollution and subsequent remote code execution. ([microsoft.com](https://www.microsoft.com/en-us/security/blog/2025/12/15/defending-against-the-cve-2025-55182-react2shell-vulnerability-in-react-server-components/?msockid=29945efb4ebb645e2b07480f4f5f6538&utm_source=openai))
Affected Versions and Frameworks
The vulnerability impacts the following:
– React Versions: 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
– Next.js Versions: 15.x and 16.x, particularly when utilizing the App Router feature.
– Other Frameworks: Tools and frameworks that incorporate RSC, such as Waku, Vite with RSC plugins, and the Redwood SDK, are also susceptible. ([support.holmsecurity.com](https://support.holmsecurity.com/knowledge/react2shell-exposes-servers-to-remote-code-execution?utm_source=openai))
Notably, applications may be vulnerable even if they do not explicitly define server functions, provided they support React Server Components.
Exploitation and Threat Landscape
Following the public disclosure of React2Shell on December 3, 2025, exploitation commenced almost immediately. Within hours, threat actors, including those with ties to nation-states, began targeting vulnerable applications. These attacks often involved deploying web shells, persistent backdoors, and other malicious payloads to gain and maintain unauthorized access. ([finra.org](https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell?utm_source=openai))
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) promptly added CVE-2025-55182 to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to address this flaw. ([finra.org](https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell?utm_source=openai))
Technical Details of the Exploit
The exploit leverages the server’s improper deserialization of JSON payloads sent to Server Function endpoints. By crafting a malicious HTTP request, an attacker can execute arbitrary JavaScript code on the server. This process involves sending a `multipart/form-data` POST request containing a malformed JSON object that manipulates the deserialization logic, leading to code execution. ([flawtrack.com](https://www.flawtrack.com/blogs/react2shell-cve-explained?utm_source=openai))
Mitigation and Remediation Steps
To protect against the React2Shell vulnerability, organizations should take the following actions:
1. Update React and Next.js: Upgrade to the patched versions:
– React: 19.0.1, 19.1.2, or 19.2.1.
– Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. ([portswigger.net](https://portswigger.net/kb/issues/00101200_react-server-components-remote-code-execution-react2shell?utm_source=openai))
2. Review Application Dependencies: Ensure that all packages and frameworks dependent on React Server Components are updated to their latest versions.
3. Monitor for Indicators of Compromise (IoCs): Implement monitoring to detect unusual activities, such as unauthorized access attempts or unexpected code execution.
4. Apply Security Patches Promptly: Establish a protocol for the timely application of security patches to mitigate vulnerabilities as they are discovered.
Conclusion
The React2Shell vulnerability represents a significant threat to web applications utilizing React Server Components. Given the ease of exploitation and the potential for severe impact, it is imperative for organizations to assess their systems, apply necessary updates, and implement robust monitoring to safeguard against potential attacks.
