A proof-of-concept (PoC) exploit for CVE-2025-55182, a maximum-severity remote code execution (RCE) flaw in React Server Components, surfaced publicly this week, heightening alarms for developers worldwide.
Dubbed “React2Shell” by some researchers, the vulnerability carries a CVSS score of 10.0 and affects React versions 19.0.0 through 19.2.0, as well as Next.js 15.x and 16.x using App Router. Even applications not explicitly implementing server functions remain exposed if they support React Server Components (RSC).
Security researcher @maple3142 demonstrated the exploit via a Twitter post, showcasing a simple multipart HTTP request that injects a Node.js payload.
The demo triggers child process, popping open a Linux calculator on the target server without authentication.
An accompanying video captures a curl-like command exploiting the flaw through React’s Flight protocol, bypassing serialization safeguards with techniques like Blob references labeled “$B1337.” Framed as a CTF-style “JS jail” challenge, the shared gist drew praise from the community alongside questions on evasion methods.
The root cause lies in insecure deserialization within the RSC Flight protocol, where malformed payloads pollute object prototypes and hijack server-side execution.
Discovered by Lachlan Davidson and responsibly disclosed to Meta and Vercel on November 29, the issue went public on December 3, prompting swift patches.
A new scanner tool was also introduced to identify vulnerable endpoints on the network for CVE-2025-55182.
Amazon threat intelligence reported exploitation attempts by China-nexus groups like Earth Lamia within hours of disclosure. Wiz Research estimates 39% of cloud environments host vulnerable instances, scanning over 968,000 servers.
Palo Alto Networks Unit 42 and others confirmed the attack requires only a crafted POST request to RSC endpoints, achieving near-100% reliability in tests. React’s official advisory urges immediate upgrades, noting the flaw persists in default configurations of popular frameworks.
Developers should audit deployments, apply patches from React 19.2.1+ and Next.js updates, and monitor for anomalies.
While no widespread breaches are confirmed yet, the PoC’s simplicity amplifies risks in production environments. This incident underscores the perils of server-side rendering in modern JavaScript stacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
