A critical vulnerability in React Server Components, tracked as CVE-2025-55182 and dubbed React2Shell, exposes vast swaths of cloud applications to unauthenticated remote code execution (RCE).
A related flaw in Next.js, CVE-2025-66478, shares the same root cause. Together, these flaws present one of the most severe threats to modern JavaScript web applications in recent memory.
Discovered by independent researcher Lachlan Davidson and reported to Meta’s bug bounty program on November 29, 2025, the vulnerability stems from insecure deserialization in the React Server Components (RSC) “Flight” protocol. The React team confirmed the issue on November 30, issued fixes by December 1, and publicly disclosed it on December 3, 2025. It carries the highest possible CVSS severity score of 10.0, due to its ease of exploitation, unauthenticated access vector, and impact.
According to Wiz Research, the flaw affects 39% of cloud environments, with Next.js, a popular React framework, present in 69% of them. Crucially, 44% of environments are publicly exposed and running vulnerable Next.js deployments. The vulnerability is trivially exploitable via a single crafted HTTP request to an RSC endpoint, and attacks have shown near 100% reliability in testing.
The flaw exists in default configurations, meaning apps created with tools like create-next-app and deployed without customization are vulnerable. This affects systems using:
- React Server Components (RSC) in versions 19.0 through 19.2.0
- The react-server-dom packages (webpack, parcel, and turbopack)
- Frameworks that bundle or rely on RSC, including Next.js, React Router (RSC preview), RedwoodJS, Waku, Vite’s RSC plugin, and Parcel’s RSC plugin
Even if developers haven't explicitly defined any server functions, the app may still be vulnerable if RSC support is enabled in the stack. The issue lies in how React translates client requests into server function calls, failing to properly validate the structure of deserialized RSC payloads, enabling attackers to inject executable JavaScript directly into server contexts.
React Server Components are increasingly used in modern server-centric architectures, particularly with the Next.js App Router. As this pattern proliferates across the ecosystem, the blast radius of this vulnerability becomes significantly wider.
Immediate action required
Impacted projects should upgrade react-server-dom-* to versions 19.0.1, 19.1.2, or 19.2.1.
Next.js users should move to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, while Canary 14.3.x users are advised to downgrade to stable 14.x.
For RedwoodJS, Waku, @vitejs/plugin-rsc, @parcel/rsc, and others, it is recommended to check official channels and apply the latest patches when they become available.
Temporary mitigations include restricting access to Server Function endpoints, using WAF rules, and monitoring HTTP traffic for anomalous requests.
Davidson warned that many circulating PoCs are misleading or invalid, noting that genuine exploitation does not rely on developers exposing dangerous server-side functionality, but works against default setups.
With over one-third of cloud environments confirmed to contain vulnerable components and exploitation requiring no authentication or prior access, this is a vulnerability likely to see widespread abuse in the coming days and weeks.
Leave a Reply