Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution

Estimated reading time: 7 minutes

  • Vulnerability: React2shell (CVE-2025-55182) allows unauthenticated remote code execution.
  • Impact: Affects React Server Components and Next.js App Router.
  • Mitigation: Apply patches, deploy WAF rules, and monitor HTTP traffic.

Table of Contents:

The Vulnerability: React2shell (CVE-2025-55182)

On December 3rd, 2025, a high-severity vulnerability impacting React Server Components (RSC) was publicly disclosed. This flaw, designated CVE-2025-55182 and nicknamed React2shell, enables unauthenticated remote code execution. This blog post will summarize the details of the vulnerability, its impact, and available mitigation strategies.

The core of the issue lies in how React handles payloads sent to React Server Function endpoints. A logical deserialization vulnerability exists due to the unsafe processing of these RSC payloads. An attacker can craft a malicious HTTP request targeting any Server Function endpoint. When React deserializes this request, it can lead to the execution of arbitrary JavaScript code on the server.

According to security firm Aikido, the problem resides in the unsafe handling of serialized payloads within the React Flight protocol. Malformed or adversarial payloads can inadvertently influence server-side execution. Patched versions of React address this by implementing stricter validation and improved deserialization behavior.

Warning alert icon overlaid on React and Next.js logos

Impacted Packages and Versions

The vulnerability affects the following npm packages:

  • react-server-dom-webpack (versions 19.0, 19.1.0, 19.1.1, and 19.2.0)
  • react-server-dom-parcel (versions 19.0, 19.1.0, 19.1.1, and 19.2.0)
  • react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, and 19.2.0)

The issue has been resolved in versions 19.0.1, 19.1.2, and 19.2.1.

Next.js Impact (CVE-2025-66478)

The vulnerability also impacts Next.js when using the App Router. This is tracked as CVE-2025-66478. Affected versions include >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.

Broader Implications

Any library that bundles RSC is potentially vulnerable. This includes Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.

Ease of Exploitation

Security researchers at Endor Labs, Miggo Security, and VulnCheck have confirmed that exploiting the flaw requires no special setup. It is exploitable both without requiring authentication and over HTTP. An attacker only needs network access to send a crafted HTTP request to a Server Function endpoint. The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable.

Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, highlighted the scale of the potential attack surface, noting that over 968,000 servers running modern frameworks like React and Next.js have been identified. He described the flaw as a *”master key exploit”* that abuses the system’s trust in incoming data structures, leading to the execution of malicious payloads with the same reliability as legitimate code.

Mitigation Strategies

Several mitigation strategies can be implemented:

  • Apply Patches: Upgrade to the patched versions of react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and Next.js.
  • Web Application Firewall (WAF) Rules: Deploy WAF rules to filter malicious requests.
  • Monitor HTTP Traffic: Monitor HTTP traffic to Server Function endpoints for suspicious or malformed requests.
  • Restrict Network Access: Temporarily restrict network access to affected applications.

Cloudflare has deployed a safeguard in its cloud-based WAF solution to address CVE-2025-55182. Customers on free and paid plans are protected as long as their React application traffic is proxied through Cloudflare.

Practical Takeaways

Technical Readers:

  • Immediately assess your applications for the use of affected React and Next.js versions.
  • Prioritize patching vulnerable components.
  • Implement WAF rules to detect and block malicious requests targeting Server Function endpoints. Consider using a cyber threat intelligence platform to get ahead of the threat.
  • Review and harden the deserialization process within your React applications.
  • Implement network segmentation to limit the potential impact of a successful exploit.
  • Utilize a breach detection system to identify any potential intrusions.
  • Conduct penetration testing to identify vulnerabilities in your applications.

Non-Technical Readers:

  • Ensure your development teams are aware of this vulnerability and are taking steps to mitigate it.
  • Verify that your organization’s security policies include regular patching and vulnerability management.
  • Assess your reliance on third-party libraries and frameworks, and ensure their security is regularly evaluated via supply-chain risk monitoring.
  • Incorporate real-time ransomware intelligence into your decision making to avoid being impacted.
  • Consider leveraging a dark web monitoring service to identify potential threats targeting your organization.

Relevance to PurpleOps Services

The React2shell vulnerability underscores the importance of several PurpleOps services:

  • Cyber Threat Intelligence: Proactive identification of emerging threats, including vulnerabilities like React2shell, is crucial. PurpleOps’ cyber threat intelligence platform can provide early warnings and actionable insights.
  • Breach Detection: Rapidly detecting and responding to intrusions is essential. PurpleOps offers breach detection services to identify and contain security incidents.
  • Penetration Testing: Regularly assessing the security posture of applications and infrastructure is vital. PurpleOps provides penetration testing services to identify vulnerabilities and weaknesses.
  • Supply Chain Risk Monitoring: Understanding and mitigating risks associated with third-party software is critical. PurpleOps offers supply-chain risk monitoring to assess the security of your software supply chain.
  • Dark Web Monitoring: Monitoring the dark web for discussions and activities related to this vulnerability can provide valuable insights into potential attacks. PurpleOps’ dark web monitoring service can help identify potential threats targeting your organization.
  • Brand Leak Alerting: PurpleOps helps you manage and protect your brand by finding data leaks.
  • Live Ransomware API: This helps with ransomware early warning.

By leveraging these services, organizations can enhance their security posture and better protect themselves against vulnerabilities like React2shell.

Given the severity and ease of exploitation of this vulnerability, it is imperative to take immediate action to mitigate the risks.

To learn more about how PurpleOps can help your organization address this and other cybersecurity threats, please visit PurpleOps platform or contact us for more information at PurpleOps services.

FAQ

Q: What is React2shell?

A: React2shell is a high-severity vulnerability (CVE-2025-55182) affecting React Server Components (RSC) that allows unauthenticated remote code execution.

Q: Which versions of React and Next.js are affected?

A: Affected React versions include react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, and 19.2.0). Affected Next.js versions include >=14.3.0-canary.77, >=15, and >=16.

Q: How can I mitigate this vulnerability?

A: Mitigation strategies include applying patches, deploying WAF rules, monitoring HTTP traffic, and restricting network access.