CVE-2025-55182
10.047.37%
React2Shell: When Server Components Serve Shells
Alon Barad
Software EngineerJan 2, 2026·6 min read·10 visits
Active ExploitationCISA KEV Listed
Executive Summary (TL;DR)
CVSS 10.0 RCE in Next.js and React Server Components. Attackers can leverage the `constructor` property in the React Flight protocol to execute arbitrary code. Active in-the-wild exploitation confirmed.
A catastrophic Remote Code Execution (RCE) vulnerability in React Server Components (RSC) allows unauthenticated attackers to execute arbitrary JavaScript on the server via the React Flight protocol. Dubbed 'React2Shell', this issue stems from insecure deserialization and a build process failure.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HEPSS Probability
47.37%
Top 4% most exploited
50,000
Estimated exposed hosts via Shodan
Affected Systems
Next.js (Versions 13.3.0 - 15.0.x)React Server Components (RSC) RuntimesWaku FrameworkParcel RSCVite RSC Plugin
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Next.js Vercel | >= 13.3.0, < 14.2.35 | 14.2.35 |
Next.js Vercel | 15.0.0 - 15.0.6 | 15.0.7 |
react-server-dom-webpack Meta | 19.0.0 | 19.0.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 (Deserialization of Untrusted Data) |
| CVSS Score | 10.0 (Critical) |
| Attack Vector | Network (Pre-Auth) |
| EPSS Score | 47.37% (High) |
| KEV Status | Listed (Active Exploitation) |
| Platform | Node.js / React |
MITRE ATT&CK Mapping
CWE-502
Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, allowing the execution of arbitrary code.
Known Exploits & Detection
Vulnerability Timeline
Vendor releases security advisories and patches
2025-12-03
Exploit PoCs begin appearing on GitHub
2025-12-04
Added to CISA Known Exploited Vulnerabilities (KEV) Catalog
2025-12-05
Active exploitation by China-nexus groups reported
2025-12-06