Executive Summary

A critical vulnerability, codenamed React2shell, has been identified in React Server Components (RSC) and Next.js, tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js. This flaw enables unauthenticated remote code execution (RCE) on affected servers, allowing attackers to execute arbitrary code without any authentication or prior access. The vulnerability is rated with a maximum CVSS score of 10.0, reflecting its severity and the ease with which it can be exploited. The issue is rooted in the unsafe deserialization logic within the React Flight protocol, which is leveraged by RSC and Next.js App Router. Given the widespread adoption of these frameworks in cloud, SaaS, and enterprise environments, the attack surface is vast, and exploitation in the wild is already being observed. Immediate action is required to mitigate this risk, as default deployments are vulnerable and no authentication is required for exploitation.

Technical Information

The vulnerabilities CVE-2025-55182 (React RSC) and CVE-2025-66478 (Next.js App Router) stem from a logical deserialization flaw in the React Flight protocol. This protocol is responsible for the communication between client and server in applications utilizing React Server Components. The flaw allows an attacker to craft a malicious HTTP request targeting a Server Function endpoint, which, when processed by the vulnerable deserialization logic, results in the execution of arbitrary JavaScript code on the server.

The affected packages include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Frameworks and bundlers such as Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodJS are also impacted if they bundle RSC. The vulnerability is present in React RSC versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js versions 14.3.0-canary.77 and later canary releases, all 15.x releases prior to 15.0.5, and all 16.x releases prior to 16.0.7.

The root cause is the unsafe handling of serialized payloads in the React Flight protocol. When a specially crafted payload is sent to a Server Function endpoint, the deserialization process does not adequately validate or sanitize the input, allowing the attacker’s code to be executed with the privileges of the server process. This is particularly dangerous because the attack does not require authentication, and the vulnerable endpoints are exposed by default in many deployments.

The impact of successful exploitation is full remote code execution as the server process user. This can lead to data theft, lateral movement within the network, deployment of ransomware, or complete compromise of the affected environment. According to reports from Wiz and Unit 42 (Palo Alto Networks), approximately 39% of cloud environments are vulnerable, with over 968,000 servers exposed to the internet.

Indicators of compromise include unusual or malformed HTTP requests to /api/ or other Server Function endpoints, unexpected server-side JavaScript execution, new processes spawned by the Node.js runtime, and outbound connections from the server to attacker-controlled infrastructure.

Exploitation in the Wild

Exploitation of these vulnerabilities is trivial and requires only network access to the vulnerable endpoint. No authentication or special setup is needed, and default framework configurations are exploitable. Attackers can send a malicious HTTP request to any Server Function endpoint, such as those under /api/, to trigger the vulnerability.

Security researchers and vendors have confirmed that exploitation is occurring in the wild. The scale of exposure is significant, with Wiz reporting that 39% of cloud environments are vulnerable and Unit 42 identifying over 968,000 exposed servers. The attack vector is straightforward: an attacker crafts a payload that, when deserialized by the vulnerable server, results in arbitrary code execution.

Indicators of active exploitation include spikes in malformed HTTP requests to Server Function endpoints, unexpected server-side process creation, and anomalous outbound network traffic. Organizations should monitor their logs for these signs and investigate any suspicious activity immediately.

APT Groups using this vulnerability

As of this report, no specific APT group attribution has been made public. However, the ease of exploitation and the widespread use of React and Next.js make this vulnerability highly attractive to both criminal and state-sponsored actors. The vulnerability aligns with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter), which are commonly leveraged by advanced persistent threats. Given the triviality of exploitation and the high impact, it is expected that both opportunistic and targeted attacks will increase rapidly, and adoption by APT groups is considered imminent.

Affected Product Versions

The affected product versions are as follows: React RSC versions 19.0, 19.1.0, 19.1.1, and 19.2.0; Next.js versions 14.3.0-canary.77 and later canary releases, all 15.x releases prior to 15.0.5, and all 16.x releases prior to 16.0.7. Other frameworks and bundlers that implement or bundle the vulnerable RSC protocol, such as React Router RSC preview, Waku, RedwoodJS, @parcel/rsc, and @vitejs/plugin-rsc, are also affected if they use the vulnerable versions of the underlying packages.

Patched versions include React RSC 19.0.1, 19.1.2, and 19.2.1, and Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. Organizations should verify their deployments and dependencies to ensure they are not running any of the vulnerable versions.

Workaround and Mitigation

Immediate action is required to mitigate this vulnerability. Organizations must upgrade all affected packages to the latest patched versions. For React RSC, this means installing react-server-dom-webpack@19.2.1 or the latest version in your version line. For Next.js, upgrade to the latest stable release in your version line, as detailed in the official Next.js changelog. If you are using other frameworks or bundlers such as React Router, Waku, RedwoodJS, Vite, or Parcel RSC plugins, ensure all RSC-related dependencies are updated to the latest versions.

In addition to patching, organizations should monitor HTTP traffic to Server Function endpoints for suspicious activity and review server logs for signs of exploitation, such as the indicators of compromise described above. As a temporary mitigation, restrict network access to affected applications where possible and apply web application firewall (WAF) rules to block suspicious payloads. Cloudflare and Fastly have deployed emergency WAF rules to block known exploit patterns for customers using their proxy services.

It is critical to note that no authentication is required for exploitation, and the vulnerability affects default configurations. All organizations using React Server Components or Next.js App Router should treat this as an emergency and patch immediately.

References

Official advisories and technical analyses are available at the following sources: the React Security Advisory, the Next.js Security Advisory (CVE-2025-66478), The Hacker News, Wiz Blog, Aikido Security, Endor Labs, NVD: CVE-2025-55182, and NVD: CVE-2025-66478.

Rescana is here for you

Rescana is committed to helping organizations manage and mitigate third-party risk across their digital supply chain. Our TPRM platform provides continuous monitoring, automated risk assessment, and actionable insights to help you stay ahead of emerging threats. If you have any questions about this advisory or require assistance with incident response, our team is ready to help. Please contact us at ops@rescana.com.