CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVE-2025-66478
10.047.37%

React2Shell: When 'Experimental' Became 'Exploitable' in Production

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 3, 2026·5 min read·40 visits

Active ExploitationCISA KEV ListedRansomware Use

Executive Summary (TL;DR)

React Server Components (RSC) inadvertently allowed unauthenticated attackers to access the Javascript 'constructor' via the Flight protocol. Combined with a build error that pushed unsafe experimental code to stable releases, this creates a trivial RCE vector (CVSS 10.0). Affects Next.js 14/15 and other RSC frameworks. Patch immediately.

A critical RCE in React Server Components (RSC) caused by unsafe deserialization in the Flight protocol, exacerbated by a build pipeline failure that shipped experimental code to production. Attackers can execute arbitrary code by manipulating property lookups during Server Action resolution.

Official Patches

Meta (React)Official Advisory
Next.jsNext.js Security Update

Fix Analysis (2)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
47.37%
Top 2% most exploited

Affected Systems

Next.js (v14.3.0 - v15.0.4)React Server Components (v19.0.0 - v19.2.0)Waku FrameworkReact Router (RSC enabled)Any system using `react-server-dom-webpack`

Affected Versions Detail

Product
Affected Versions
Fixed Version
React Server Components
Meta
19.0.0 - 19.2.0 (exclusive of patch)19.0.1, 19.1.2, 19.2.1
Next.js
Vercel
14.3.0 - 15.0.415.0.5
AttributeDetail
CVE IDCVE-2025-55182
CVSS v3.110.0 (Critical)
CWECWE-502 (Deserialization of Untrusted Data)
Attack VectorNetwork (Pre-auth)
EPSS Score0.47368 (High)
Exploit StatusActive / Weaponized
KEV ListedYes (2024-12-05)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1203Exploitation for Client Execution
Execution
CWE-502
Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Known Exploits & Detection

GitHubScanner and PoC for CVE-2025-55182
MetasploitExploit module targeting React Server Components
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability reported to Meta
2024-11-29
Patches released for React and Next.js
2024-12-03
Added to CISA KEV
2024-12-05
Rondodox botnet exploitation observed
2025-01-01

References & Sources

  • [1]Wiz Deep Dive
  • [2]AWS Security: Threat Actor Analysis
Related Vulnerabilities
CVE-2025-66478CVE-2025-55182

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.