SecureIT logo
Main post image

React2Shell RCE in React Server Components



New critical vulnerabilities CVE-2025-55182 and CVE-2025-66478 published by the React maintainers, dubbed "React2Shell" enables unauthenticated, zero-click RCE in React Server Components and Next.js. Given the frameworks' ubiquity, with over 65 million weekly downloads, and over 1.5 billion download in 2025 so far, exposure is widespread. Active exploitation is confirmed in the wild, likely including activity from state-sponsored APTs.

Why this vulnerability is so bad

React2Shell exploits the React Server Components Flight protocol to achieve unauthenticated remote code execution via a crafted payload. In our internal testing, we successfully achieved arbitrary file writes, restricted only by the permissions of the running Next.js process. This highlights a crucial architectural nuance: While the exposure is massive, with Wiz (https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182) reporting 39% of cloud environments are vulnerable, the actual impact is often tempered by architecture. If the application runs in a sandboxed container or as a low-privileged user, the attacker's ability to move laterally is significantly constrained.

Check if you’re affected

Because React and Next.js are typically installed via npm, most teams can assess their exposure by auditing their package.json files or running dependency checks (e.g., npm list next or npm list react).

  • You are likely vulnerable if: You are running React 19.0, 19.1, or 19.2 with Server Components enabled, or Next.js 15 or 16 using the App Router. Assume you are compromised until proven otherwise.
  • You are likely safe if: Your application is a traditional client-side React app (SPA) with no React Server Components support and no framework implementing the Flight protocol.

The Rule of Thumb: If you are utilizing the new server-side features in React 19, treat React2Shell as an immediate incident response item, not a routine maintenance upgrade.

What you need to update

Remediation depends on how you consume React Server Components. There are two primary scenarios:

  • If you use React Server Components directly, you need to be on one of the fixed React versions. The React team has patched the affected packages react server dom webpack, react server dom parcel and react server dom turbopack in versions 19.0.1, 19.1.2 and 19.2.1. Anything below those versions in the 19 line is vulnerable.
  • If you use Next.js with the App Router, you inherit the same bug through its implementation of React Server Components and the Flight protocol. Vercel has released patches in the following branches. Next.js 16.0.7 and Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8 and 15.5.7. Experimental canary builds starting from 14.3.0 canary 77 are also affected and require updates.

In practice the safest option is to upgrade React and Next.js to their latest supported releases across all services that use server components, then redeploy everything that talks to the internet.

What you should do right now

  1. Audit Dependencies: Confirm whether your application uses React Server Components or a framework that implements them. If your versions fall within the ranges listed above, assume exposure.
  2. Patch and Redeploy: Execute this immediately. This is a security emergency, not a feature upgrade.
  3. Enable WAF Rules: If you utilize a Web Application Firewall (WAF) from a cloud provider or third party, enable rules specifically targeting CVE-2025-55182 or React2Shell. While major providers have shipped signatures, view this as a safety net, not a substitute for patching.
  4. Forensic Review:
    1. Analyze logs for unusual requests targeting your React server functions or Next.js server action endpoints. Focus on activity since late November, particularly if you were running vulnerable versions during that window.
    2. Look for recent unexpected created or altered files.
    3. If you find evidence of manipulation, it’s highly recommended you restore code to a previous known good version and rotate all secrets.

If you are not sure, we can help

The most challenging aspect for many organizations is accurately determining their attack surface, specifically, verifying if they have vulnerable React Server Components exposed to the public internet.

For the SecureIT team, this is routine work. We can rapidly scan your internet-facing estate, source code, and dependency graph to identify services exposing vulnerable Flight endpoints. Beyond identification, we can assist in planning and executing upgrades, as well as hardening WAF and network controls around your critical applications. If you need an independent verification of your exposure to React2Shell, or a comprehensive security review of your React and Next.js stack, contact our team. We will provide a clear assessment of your risk and the specific steps required to secure your environment.