React2Shell: Understanding CVE-2025-55182 - The Critical React Vulnerability

On December 3, 2025, the React team disclosed a maximum-severity vulnerability that has sent shockwaves through the web development community. Designated as CVE-2025-55182 and dubbed "React2Shell," this critical flaw affects React Server Components and poses an immediate threat to countless applications worldwide. With a CVSS score of 10.0—the highest possible rating—this vulnerability demands urgent attention from every development team using React 19.

What is CVE-2025-55182?

CVE-2025-55182 is an unsafe deserialization vulnerability residing in React Server Components (RSC), specifically within the "Flight" protocol that React uses for server-client communication. The vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on servers running vulnerable React applications through a simple, crafted HTTP request.

What makes this particularly dangerous is that it affects default configurations. A standard Next.js application created with create-next-app and built for production is vulnerable without any code changes by the developer. The flaw exists in the fundamental request parsing mechanism of the library itself.

Affected Versions and Packages

React Packages

The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages:

• react-server-dom-parcel

• react-server-dom-turbopack

• react-server-dom-webpack

Next.js Versions

Next.js applications using the App Router are affected in versions:

• 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6

• 16.0.6

• Note: Next.js 13.x, 14.x stable, and Pages Router applications are not affected

Other Affected Frameworks

The vulnerability also impacts other frameworks and bundlers that depend on or include vulnerable React packages:

• React Router (RSC preview)

• Waku

• Redwood SDK

• Expo

• Vite (with @vitejs/plugin-rsc)

• Parcel (with @parcel/rsc)

The Technical Details

The vulnerability stems from how React Server Components deserialize data in the Flight protocol. When a server receives RSC payloads, it reconstructs JavaScript objects from serialized text streams—a process called deserialization. The flaw lies in unsafe property access during this deserialization process.

Attackers can exploit this by crafting malicious payloads that abuse the module_id#export_name syntax used in server actions. Instead of targeting legitimate exports, attackers can access internal JavaScript properties and the prototype chain of modules. By targeting specific Node.js modules (called "gadgets"), such as the vm module, attackers can execute arbitrary code.

For example, an attacker might request vm#runInThisContext as the function to call and provide malicious JavaScript code as an argument, achieving full remote code execution with the privileges of the React server process.

The Scope of Impact

The scale of this vulnerability is staggering. According to Wiz Research, 39% of cloud environments contain instances vulnerable to this flaw. With React being used by 82% of JavaScript developers and powering millions of websites including major platforms like Airbnb and Netflix, the potential attack surface is enormous.

Security researchers have developed proof-of-concept exploits with nearly 100% reliability, demonstrating how easily this vulnerability can be weaponized. More concerning, within hours of the public disclosure, threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.

Why This Vulnerability is So Dangerous

Several factors elevate the severity of CVE-2025-55182:

1. No Authentication Required: Attackers can exploit this vulnerability without any credentials or prior access to the system.

2. Default Configuration Vulnerability: Applications are vulnerable out of the box with standard configurations, requiring no developer misconfiguration.

3. High Exploitation Reliability: Unlike memory corruption bugs that may fail unpredictably, this is a deterministic logic flaw that executes reliably.

4. Broad Attack Surface: Even applications that don't explicitly use React Server Functions may still be vulnerable if they support React Server Components.

5. Rapid Weaponization: Public proof-of-concept exploits have already been developed, and active exploitation has been observed in the wild.

Timeline of the Vulnerability

• November 14, 2024: React 19.0 released with the vulnerable code

• November 29, 2025: Lachlan Davidson reported the vulnerability to Meta via Bug Bounty

• November 30, 2025: Meta security researchers confirmed the vulnerability

• December 1, 2025: Fix created and coordination with hosting providers began

• December 3, 2025: Public disclosure and patched versions released

• Same day: Active exploitation attempts observed by multiple threat actors

Patched Versions

Immediate updates are available and should be applied urgently:

React

• 19.0.1

• 19.1.2

• 19.2.1

Next.js

• 15.0.5

• 15.1.9

• 15.2.6

• 15.3.6

• 15.4.8

• 15.5.7

• 16.0.7

Other Frameworks

Check official channels for React Router, Expo, Redwood SDK, Waku, Vite, and Parcel for their respective patched versions.

Protection and Mitigation Strategies

1. Immediate Patching

Update to the patched versions immediately. This is the only definitive mitigation. The patched versions include hardened deserialization behavior and stricter validation.

2. Web Application Firewall (WAF) Protection

Major cloud providers have deployed protective rules:

• Cloudflare: Automatic protection for all customers with WAF enabled

• AWS: Updated AWSManagedRulesKnownBadInputsRuleSet (version 1.24+)

• Google Cloud: New protective rules deployed

• Fastly: Virtual patch available via NGWAF

• Akamai: Protective measures implemented

However, WAF rules should be considered temporary protection only—patching is essential.

3. Monitoring and Detection

• Monitor HTTP traffic to Server Function endpoints for suspicious or malformed requests

• Use runtime application security solutions that can detect unsafe deserialization flows

• Implement logging and alerting for unusual server-side execution patterns

• Consider temporarily restricting network access to affected applications until patches can be applied

4. Verify Your Exposure

Determine if your applications are affected:

• Check if you're using React 19 with Server Components enabled

• Verify whether your framework (Next.js, etc.) uses vulnerable versions

• Review your production environments for React dependencies

• Use Software Bill of Materials (SBOM) tools to identify vulnerable components

Who is NOT Affected?

Your application is not vulnerable if:

• You're using React without a server component

• You don't use a framework, bundler, or plugin that supports React Server Components

• You're on Next.js 13.x or stable 14.x versions

• You're using Next.js Pages Router instead of App Router

• You're on Next.js Edge Runtime

Lessons for the Development Community

This vulnerability highlights several critical considerations for modern web development:

1. Supply Chain Security: With applications depending on hundreds or thousands of packages, a single vulnerability in a foundational library can have cascading effects across the entire ecosystem.

2. Server-Side Rendering Risks: As frameworks increasingly adopt server-side rendering and server components for performance benefits, the security implications of processing untrusted data on the server become more critical.

3. Rapid Response is Essential: The speed at which threat actors weaponize disclosed vulnerabilities means that coordination between security researchers, vendors, and end users must be faster than ever.

4. Defense in Depth: While patches are essential, layered security approaches including WAFs, runtime protection, and monitoring provide crucial additional protection during the vulnerability window.

Looking Forward

The React team and Meta deserve credit for their rapid response once the vulnerability was reported, coordinating with hosting providers and releasing patches within just four days. However, the fact that this critical flaw existed in a default configuration for over a year underscores the challenges of securing modern web frameworks.

As React Server Components and similar technologies become more prevalent, the development community must prioritize security reviews of serialization and deserialization logic. These components represent a significant trust boundary where untrusted client data meets server-side execution capabilities.

Conclusion

CVE-2025-55182 represents one of the most critical vulnerabilities in React's history. With active exploitation already occurring and the potential to affect millions of applications, immediate action is required. Development teams should prioritize patching vulnerable applications, implement additional protective measures, and verify that their entire stack is updated.

This incident serves as a stark reminder that even the most popular and well-maintained frameworks can harbor critical vulnerabilities. Staying informed about security disclosures, maintaining up-to-date dependencies, and implementing defense-in-depth strategies are not optional—they're essential practices for modern web development.

If you're running React 19 or Next.js 15+/16.x with the App Router, don't wait. Update now.

Additional Resources

• Official React Security Advisory

• Next.js Security Advisory

• Google Cloud Response Guide

• AWS Security Advisory