React2Shell: When 'Experimental' Became 'Exploitable' in Production

Amit Schendel

Senior Security Researcher

Jan 3, 2026·5 min read·31 visits

Active ExploitationCISA KEV ListedRansomware Use

Executive Summary (TL;DR)

React Server Components (RSC) inadvertently allowed unauthenticated attackers to access the Javascript 'constructor' via the Flight protocol. Combined with a build error that pushed unsafe experimental code to stable releases, this creates a trivial RCE vector (CVSS 10.0). Affects Next.js 14/15 and other RSC frameworks. Patch immediately.

A critical RCE in React Server Components (RSC) caused by unsafe deserialization in the Flight protocol, exacerbated by a build pipeline failure that shipped experimental code to production. Attackers can execute arbitrary code by manipulating property lookups during Server Action resolution.

Attack Flow Diagram

Official Patches

Meta (React)Official Advisory

Next.jsNext.js Security Update

Fix Analysis (2)

Technical Appendix

CVSS Score

10.0/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

47.37%

Top 2% most exploited

Affected Systems

Next.js (v14.3.0 - v15.0.4)React Server Components (v19.0.0 - v19.2.0)Waku FrameworkReact Router (RSC enabled)Any system using `react-server-dom-webpack`

Affected Versions Detail

Product	Affected Versions	Fixed Version
React Server Components Meta	19.0.0 - 19.2.0 (exclusive of patch)	19.0.1, 19.1.2, 19.2.1
Next.js Vercel	14.3.0 - 15.0.4	15.0.5

Attribute	Detail
CVE ID	CVE-2025-55182
CVSS v3.1	10.0 (Critical)
CWE	CWE-502 (Deserialization of Untrusted Data)
Attack Vector	Network (Pre-auth)
EPSS Score	0.47368 (High)
Exploit Status	Active / Weaponized
KEV Listed	Yes (2024-12-05)