Key Takeaways
- Maximum severity rating: CVE-2025-55182 carries a CVSS score of 10.0, the highest possible rating for security vulnerabilities
- No authentication required: Attackers can execute arbitrary code on vulnerable servers without any login credentials
- Default configurations exposed: Standard Next.js applications created with create-next-app are vulnerable out of the box
- Active exploitation confirmed: China-nexus threat groups began exploitation attempts within hours of public disclosure
- Immediate action required: Upgrade to React 19.2.1+ and Next.js 15.5.7+ or 16.0.7+ without delay
A critical security vulnerability dubbed "React2Shell" has sent shockwaves through the web development community, affecting millions of applications built on React and Next.js. Tracked as CVE-2025-55182, this maximum-severity flaw enables unauthenticated remote code execution through a simple HTTP request—representing one of the most severe vulnerabilities to impact the JavaScript ecosystem since Log4Shell devastated Java applications in 2021.
With React powering an estimated 82% of JavaScript applications according to the 2024 State of JavaScript survey, and Next.js deployed across more than 444,000 publicly accessible servers identified via Shodan reconnaissance, the potential attack surface is staggering. Security researchers at Wiz report that 39% of cloud environments contain vulnerable React or Next.js instances, making immediate remediation essential for any organization running modern web infrastructure.
Understanding the React2Shell Vulnerability
The vulnerability resides in the React Server Components (RSC) architecture, specifically within the "Flight" protocol used to serialize and deserialize data between client and server. React Server Components represent a significant architectural evolution that allows developers to render components on the server rather than the client browser, reducing JavaScript bundle sizes and improving initial page load performance.
However, security researcher Lachlan Davidson discovered that the Flight protocol's deserialization logic contains a critical flaw. When processing specially crafted HTTP requests, the server fails to properly validate the structure of incoming payloads. An attacker can exploit this weakness to inject malicious payloads that, when deserialized by the server, trigger the execution of arbitrary JavaScript code—including system commands through Node.js primitives like child_process.exec.
Critical Security Notice
This vulnerability requires no authentication and affects default configurations. A standard Next.js application created with create-next-app and deployed to production is immediately exploitable without any code modifications by the developer. Datadog security researchers have confirmed near-100% exploitation reliability.
Affected Versions and Components
The vulnerability impacts specific versions of React 19 and cascades downstream to any framework or bundler implementing React Server Components. Organizations must audit their entire stack, as vulnerable dependencies may exist in nested packages not immediately visible in top-level manifests.
| Component | Vulnerable Versions | Patched Versions | CVE Identifier |
|---|---|---|---|
| React (Core) | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 | CVE-2025-55182 |
| Next.js 16.x | < 16.0.7 | 16.0.7+ | CVE-2025-66478 |
| Next.js 15.x | < 15.5.7 | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 | CVE-2025-66478 |
| Next.js 14.x Canary | ≥ 14.3.0-canary.77 | Downgrade to stable 14.x | CVE-2025-66478 |
| react-server-dom-webpack | 19.0.0 - 19.2.0 | 19.0.1, 19.1.2, 19.2.1 | CVE-2025-55182 |
| react-server-dom-parcel | 19.0.0 - 19.2.0 | 19.0.1, 19.1.2, 19.2.1 | CVE-2025-55182 |
| react-server-dom-turbopack | 19.0.0 - 19.2.0 | 19.0.1, 19.1.2, 19.2.1 | CVE-2025-55182 |
Additional frameworks implementing React Server Components are also affected, including React Router (RSC mode), Waku, RedwoodSDK, the Vite RSC plugin, and the Parcel RSC plugin. Organizations using any of these technologies must verify their dependencies include patched React packages.
Active Exploitation by Nation-State Actors
The security community's worst fears materialized within hours of the public disclosure on December 3, 2025. Amazon Web Services threat intelligence teams detected active exploitation attempts from multiple China-nexus threat groups, demonstrating the increasingly compressed window between vulnerability disclosure and weaponization.
Identified Threat Actors
Earth Lamia
Active since 2023, this China-nexus group targets organizations across Latin America, the Middle East, and Southeast Asia. Their operations focus on educational institutions, financial services, government entities, IT companies, logistics firms, and retailers through web application exploitation.
Jackpot Panda
Operating since 2020, this threat actor conducts cyberespionage operations primarily in East and Southeast Asia. Their campaigns align with Chinese government collection priorities related to domestic security and anti-corruption efforts.
According to AWS CISO CJ Moses, threat actors exhibited sophisticated behavior during exploitation attempts. In one documented case, an unattributed threat cluster spent nearly an hour systematically troubleshooting their exploitation techniques against live targets, executing 116 requests across 52 minutes while testing multiple payloads, Linux command execution, and file operations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog on December 5, 2025, requiring Federal Civilian Executive Branch agencies to apply patches by December 26, 2025. Palo Alto Networks Unit 42 researchers have observed scanning for vulnerable systems, reconnaissance activity, attempted theft of AWS configuration and credential files, and installation of downloaders to retrieve additional payloads from attacker command and control infrastructure.
Technical Analysis: How React2Shell Works
The vulnerability exploits the Flight protocol's deserialization mechanism, which React uses to serialize component trees and data for transmission between server and client. When a React Server Function receives an HTTP request, the Flight protocol deserializes the incoming payload to reconstruct the function call and its arguments.
In vulnerable versions, the deserialization logic fails to properly validate payload structure, allowing attackers to manipulate the Chunk.prototype.then resolution pathway. By crafting a malicious payload that exploits Blob deserialization, attackers can force the server to execute arbitrary JavaScript code in the Node.js runtime context.
# Check installed React version
npm list react
# Check installed Next.js version
npm list next
# Verify no vulnerable versions exist in lockfile
grep -E '"react":|"next":' package-lock.json
# Deep scan for nested vulnerable dependencies
find node_modules -name 'package.json' | xargs grep -l '"react"' | head -20
The attack vector is particularly dangerous because it operates at the HTTP request handling phase—before application-level authentication logic typically executes. This means even applications with robust authentication mechanisms remain vulnerable if they support React Server Components, as the exploitation occurs during payload processing rather than after user verification.
Immediate Remediation Steps
Organizations must treat this vulnerability with emergency priority. The combination of maximum severity rating, active exploitation, and broad attack surface demands immediate action outside normal patch cycles.
1 Audit Your Environment
Execute npm list react next across all applications to identify installed versions. Pay particular attention to monorepos and applications with complex dependency trees where vulnerable packages may exist as nested dependencies. Vercel has released an automated tool: npx fix-react2shell-next that scans and identifies vulnerable installations.
2 Apply Patches Immediately
Upgrade to React 19.2.1 (or 19.0.1/19.1.2 for older branches) and Next.js 16.0.7+ or 15.5.7+ depending on your version branch. For frameworks like Waku, RedwoodJS, or Parcel, inspect your package-lock.json to ensure nested React dependencies resolve to patched versions.
3 Verify Lockfile Resolution
Simply updating package.json is insufficient. Verify that your lockfile has resolved to the patched versions by searching for any remaining references to vulnerable version numbers. Delete node_modules and regenerate your lockfile to ensure clean installation.
4 Restart All Services
Ensure all Node.js processes are fully restarted to load the patched code. In containerized environments, rebuild and redeploy container images. Cached builds or running processes using old code remain vulnerable regardless of updated dependencies.
5 Review Logs for Indicators of Compromise
Filter HTTP access logs for POST requests containing next-action or rsc-action-id headers. Look for unusual payloads in request bodies, particularly those containing serialized JavaScript objects or references to system commands. Datadog has published indicators of compromise on GitHub for reference.
Detection and Monitoring Strategies
Beyond patching, organizations should implement detection capabilities to identify exploitation attempts and potential compromise. Security teams should monitor for specific indicators that suggest React2Shell exploitation activity.
Log Analysis Indicators
- POST requests with
next-actionheaders - Requests containing
$ACTION_REF_0parameters - Unusual payloads with serialized JavaScript objects
- Rapid sequential requests from single IP addresses
- Requests targeting
/_next/endpoints with POST method
Host-Level Indicators
- Unexpected
child_processspawning from Node.js - Creation of files in
/tmp/directories - Attempts to read
/etc/passwdor credential files - Outbound connections to unknown IP addresses
- Installation of cryptocurrency miners
Enterprise Security Implications
React2Shell represents a sobering reminder that modern web frameworks carry inherent security risks that demand continuous vigilance. The vulnerability's characteristics—maximum severity, pre-authentication exploitation, default configuration exposure—create a perfect storm for enterprise security teams.
According to Censys attack surface management data, approximately 2.15 million internet-facing services may be affected by this vulnerability. Wiz threat researchers report that 39% of cloud environments contain vulnerable React or Next.js instances, with 61% of environments containing Next.js having publicly accessible applications. This exposure spans e-commerce platforms, financial services applications, healthcare systems, and enterprise software across virtually every industry vertical.
Long-Term Security Considerations
Security experts emphasize that React2Shell should prompt organizations to reevaluate their approach to JavaScript framework security. As one researcher noted, any new transport mechanism that allows servers to execute code on behalf of users should receive the same threat modeling discipline as database wire protocols or RPC frameworks—well before becoming production defaults.
Organizations should implement comprehensive dependency management policies, including automated vulnerability scanning in CI/CD pipelines, lockfile monitoring for unexpected changes, and rapid response procedures for critical JavaScript ecosystem vulnerabilities.
Interim Protection: WAF and CDN Mitigations
Major cloud and security providers have deployed protective measures to help mitigate exploitation while organizations patch their applications. However, these protections should be considered temporary measures rather than permanent solutions.
Vercel deployed WAF rules across their globally-distributed platform to automatically protect hosted projects. Cloudflare and Google Cloud have implemented detection rules in their web application firewalls. Fastly released a Virtual Patch that customers can enable through their Next-Gen WAF console. AWS has deployed protections through Sonaris Active Defense and updated AWS WAF managed rules (version 1.24 or higher).
It is critical to understand that WAF rules provide defense-in-depth but should not be relied upon as the sole protection mechanism. Sophisticated attackers may develop bypass techniques, and WAF rules cannot address the fundamental vulnerability in application code. Organizations must prioritize patching even when WAF protections are in place.
Related Security Resources
NPM Worm: Shai Hulud
Understanding self-replicating malware targeting the NPM ecosystem and how to protect your JavaScript supply chain.
NPM Supply Chain Attacks
A comprehensive analysis of supply chain vulnerabilities in the JavaScript ecosystem and enterprise defense strategies.
Quick Tips for Cybersecurity Hygiene
Essential security practices every organization should implement to reduce their attack surface.
Cybersecurity Consulting Services
Learn how ITECS helps organizations build comprehensive security programs and respond to emerging threats.
Protect Your Organization from React2Shell
The React2Shell vulnerability demands immediate attention from every organization running modern web applications. With nation-state actors actively exploiting this flaw and the attack surface spanning millions of internet-facing applications, the window for proactive remediation is closing rapidly.
ITECS provides comprehensive cybersecurity consulting and managed IT services to help organizations identify vulnerable applications, implement patches, and establish continuous security monitoring. Our security engineering team can audit your web infrastructure, verify remediation effectiveness, and implement detection capabilities to identify potential compromise.
Sources
- React Team. "Critical Security Vulnerability in React Server Components." react.dev, December 3, 2025.
- Vercel Security. "Summary of CVE-2025-55182." vercel.com, December 3, 2025.
- Moses, CJ. "China-nexus cyber threat groups rapidly exploit React2Shell vulnerability." AWS Security Blog, December 4, 2025.
- Tenable Research. "React2Shell RCE FAQ." tenable.com, December 5, 2025.
- Wiz Research. "Critical RCE Vulnerabilities Discovered in React & Next.js." wiz.io, December 3, 2025.
- Datadog Security Labs. "CVE-2025-55182 (React2Shell): Remote code execution in React Server Components." securitylabs.datadoghq.com, December 4, 2025.
- CISA. "Known Exploited Vulnerabilities Catalog." cisa.gov, December 5, 2025.