React2Shell Critical RCE Vulnerability in React Server Components

securityreactnextjsvulnerabilityrce

A maximum-severity vulnerability (CVSS 10.0) has been disclosed in React Server Components that allows unauthenticated remote code execution. Codenamed React2Shell and tracked as CVE-2025-55182, this flaw affects React 19.x and Next.js applications using the App Router.

The Vulnerability

The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. What makes this particularly dangerous:

• Default configurations are vulnerable - a standard create-next-app built for production can be exploited with no code changes
• Exploitation requires only a crafted HTTP request
• Applications are vulnerable if they support RSC, even without explicitly using React Server Functions

Affected Versions

React (CVE-2025-55182):

• Versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• Packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack

Next.js (CVE-2025-66478, also CVSS 10.0):

• Versions >=14.3.0-canary.77, >=15, and >=16

Other affected frameworks include Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.

Scale of Impact

• 39% of cloud environments have vulnerable instances (per Wiz)
• 968,000+ servers running modern React/Next.js frameworks identified
• React is used by 82% of JavaScript developers (State of JavaScript 2024)

Patched Versions

Update immediately to:

• React: 19.0.1, 19.1.2, or 19.2.1
• Next.js: 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5

Google Cloud and AWS have both released WAF rules to detect and block exploitation attempts.

Current Status

As of December 3, 2025, no confirmed in-the-wild exploitation has been reported, but the security community considers exploitation imminent given the severity and attack surface.

Sources: Tenable, Wiz, SecurityWeek, Google Cloud