CVE-2025-55182

React2Shell: When Server Components Serve Shells

Alon Barad
Alon Barad
Software Engineer

Jan 2, 2026·6 min read·9 visits

Executive Summary (TL;DR)

CVSS 10.0 RCE in Next.js and React Server Components. Attackers can leverage the `constructor` property in the React Flight protocol to execute arbitrary code. Active in-the-wild exploitation confirmed.

A catastrophic Remote Code Execution (RCE) vulnerability in React Server Components (RSC) allows unauthenticated attackers to execute arbitrary JavaScript on the server via the React Flight protocol. Dubbed 'React2Shell', this issue stems from insecure deserialization and a build process failure.

Official Patches

ReactOfficial React Advisory
Next.jsNext.js Security Update

Fix Analysis (1)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
47.37%
Top 4% most exploited
50,000
via Shodan

Affected Systems

Next.js (Versions 13.3.0 - 15.0.x)React Server Components (RSC) RuntimesWaku FrameworkParcel RSCVite RSC Plugin

Affected Versions Detail

Product
Affected Versions
Fixed Version
Next.js
Vercel
>= 13.3.0, < 14.2.3514.2.35
Next.js
Vercel
15.0.0 - 15.0.615.0.7
react-server-dom-webpack
Meta
19.0.019.0.1
AttributeDetail
CWE IDCWE-502 (Deserialization of Untrusted Data)
CVSS Score10.0 (Critical)
Attack VectorNetwork (Pre-Auth)
EPSS Score47.37% (High)
KEV StatusListed (Active Exploitation)
PlatformNode.js / React

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1203Exploitation for Client Execution
Execution
CWE-502
Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the execution of arbitrary code.

Known Exploits & Detection

GitHubProof of concept for React2Shell exploitation
AssetnoteScanner to identify vulnerable React Server Component endpoints
NucleiDetection Template Available

Vulnerability Timeline

Vendor releases security advisories and patches
2025-12-03
Exploit PoCs begin appearing on GitHub
2025-12-04
Added to CISA Known Exploited Vulnerabilities (KEV) Catalog
2025-12-05
Active exploitation by China-nexus groups reported
2025-12-06

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.