A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. The vulnerability has been codenamed React2shell.
It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in an alert issued today.
"Even if your app does not implement any React Server Function endpoints, it may still be vulnerable if your app supports React Server Components."
According to cloud security firm Wiz, the issue is a case of logical deserialization that stems from processing RSC payloads in an unsafe manner. As a result, an unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.
"The issue stems from unsafe handling of serialized payloads in the React Flight protocol," software supply chain security company Aikido said. "Malformed or adversarial payloads can influence server-side execution in unintended ways. Patched React versions include stricter validation and hardened deserialization behavior."
The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages -
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1. New Zealand-based security researcher Lachlan Davidson has been credited with discovering and reporting the flaw to Meta on November 29, 2025. The social media giant originally created and maintained the JavaScript library before moving it to the React Foundation in October 2025.
It's worth noting that the vulnerability also affects Next.js using App Router. The issue was initially assigned the CVE identifier CVE-2025-66478 (CVSS score: 10.0), but it has since been rejected by the NIST National Vulnerability Database (NVD) as a duplicate of CVE-2025-55182. It impacts versions >=14.3.0-canary.77, >=15, and >=16. Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.
That said, any library that bundles RSC is likely to be affected by the flaw. This includes, but is not limited to, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodJS, and Waku.
Endor Labs, Miggo Security, and VulnCheck have all emphasized that no special setup is required to weaponize the flaw, adding that it's exploitable both without requiring a login and over HTTP.
"An attacker needs only network access to send a crafted HTTP request to any Server Function endpoint," Endor Labs said. "The vulnerability affects default framework configurations, meaning standard deployments are immediately exploitable without special conditions."
Until patches can be applied, it's recommended to deploy Web Application Firewall (WAF) rules if available, monitor HTTP traffic to Server Function endpoints for any suspicious or malformed request, and consider temporarily restricting network access to affected applications.
Web infrastructure provider Cloudflare said it has deployed a new safeguard in its cloud-based WAF solution to address CVE-2025-55182. It noted that all customers on free and paid plans are protected "as long as their React application traffic is proxied" through the service. Akamai, Amazon Web Services (AWS), Fastly, and Google Cloud have also deployed similar rules to counter the threat.
Wiz said 39% of cloud environments have instances vulnerable to CVE-2025-55182 and/or CVE-2025-66478. In light of the severity of the vulnerability, it's advised that users apply the fixes as soon as possible for optimal protection.
Justin Moore, senior manager of threat intel research at Palo Alto Networks Unit 42, said more than 968,000 servers running modern frameworks like React and Next.js have been identified, exposing a lucrative attack surface that's ripe for exploitation.
"This newly discovered flaw is a critical threat because it is a master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures," Moore said. "The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input."
Additional Details of CVE-2025-55182 Emerge
In a report published Wednesday, OX Security said the vulnerability exists due to unsafe deserialization of React Flight reply payloads on the server, leading to unauthenticated remote code execution. Searchlight Cyber has devised an HTTP request that can be used to confirm the presence of the vulnerability.
"The vulnerability resides in the requireModule function within the react-server-dom-webpack package," Upwind researchers Avital Harel and Guy Gilad said. "This function is responsible for resolving and loading the exported functions that a client is trying to call on the server."
An attacker can exploit the flaw by crafting a malicious payload in an HTTP POST request designed to trigger a "Server Action" using "vm.runInThisContext," which causes React to execute the function with the attacker-supplied malicious code as the argument. This, in turn, results in code execution on the server with the same privileges as the Node.js process.
Upwind also noted that while React doesn't expose the vulnerable React Flight reply server endpoint, Next.js does, turning the bug from a theoretical issue into a "real, remotely reachable attack surface."
"These endpoints accept structured Flight payloads directly from the browser," it added. "That means anyone on the internet can send a request, attach their own Flight stream, and rely on Next.js to forward it into React's deserializer. Once that happens, the vulnerable code path handles the payload exactly as if it came from a trusted client."
(The story was updated after publication to include additional insights.)
