Security teams worldwide are rushing to patch systems after the disclosure of a critical React vulnerability, CVE-2025-55182, widely known as “React2Shell.”
The flaw affects React Server Components (RSC) and has a maximum CVSS score of 10, the highest possible rating, signaling critical impact and ease of exploitation.
Censys telemetry shows that more than 2.15 million internet‑facing services are running technologies that may be impacted, including applications built with Next.js, Waku, React Router RSC, Vite RSC, Parcel RSC, and RedwoodSDK.
While not all of these instances are confirmed vulnerable, the exposed footprint is massive, and active exploitation has already begun.
React2Shell (CVE-2025-55182)
The bug sits in how React Server Components and related packages handle data sent to Server Function endpoints.
React’s server-side packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack) perform insecure deserialization of JSON payloads.
An unauthenticated attacker can send a specially crafted HTTP request to a vulnerable endpoint, forcing the server to execute arbitrary JavaScript.
In practice, this means a complete remote code execution (RCE) path on the server, with no login required.
React has confirmed that even applications that do not explicitly use Server Functions may still be vulnerable if they support RSC on the server side.
In contrast, pure client‑side React apps that do not use RSC or an RSC‑capable framework are not affected.
The situation is not theoretical. AWS security teams observed China‑nexus threat actors beginning to exploit React2Shell within 24 hours of public disclosure.
Reported groups, including Earth Lamia and Jackpot Panda, are using the vulnerability to gain initial access and then deploy web shells, backdoors, and additional tooling.
CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is actively used in real‑world attacks and must be treated as a priority for federal and private-sector networks alike.
Multiple public proof‑of‑concept exploits have been released, lowering the barrier for opportunistic attackers. Some PoCs, however, are fake or malicious, underscoring the need for caution when handling exploit code.
The following React server packages are affected in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Frameworks and tools that embed or depend on these packages are also impacted, including:
- Next.js (App Router)
- React Router RSC preview
- Waku
- Vite RSC plugin (@vitejs/plugin-rsc)
- Parcel RSC plugin (@parcel/rsc)
- RedwoodSDK
For Next.js, versions 14.3.0‑canary.77 and later, all 15.x, and all 16.x using the App Router should be assumed vulnerable until verified and patched.
Patch and Mitigation
Vendors have already released fixes. React has shipped patched versions 19.0.1, 19.1.2, and 19.2.1, while Next.js has published multiple fixed releases across supported branches, including 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Cloudflare, AWS, and other providers have rolled out WAF rules to block known exploit patterns.
However, researchers have already demonstrated WAF bypass techniques, meaning these defenses should be treated only as a temporary layer, not a replacement for patching.
Organizations are strongly advised to:
- Inventory all internet‑facing assets using React Server Components, Next.js, or other listed frameworks.
- Confirm package and framework versions, prioritizing systems reachable from the public internet.
- Upgrade to the latest patched releases immediately, and then verify deployment.
Given the scale of exposed services and the presence of active exploitation, any unpatched RSC‑enabled service should be treated as high risk until updated and thoroughly reviewed for signs of compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.