HomeseparatorVulnerability

Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 / CVE-2025-66478)

Avatar photo
Author
,
Technical Reviewers
Updated: December 19th, 2025
6 mins read
Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 / CVE-2025-66478)

Product Name: React Server Components, Next.js App Router

Vulnerability: Remote Code Execution via Insecure Deserialization (Flight Protocol)

Vulnerable Version: React 19.0.0–19.2.0, Next.js 15.x and 16.x App Router

CVE: CVE-2025-55182 (duplicate: CVE-2025-66478)t here

Note: Applications are vulnerable even if they don’t explicitly use server functions, as long as they support React Server Components

React2Shell is a severe remote, unauthenticated RCE vulnerability recently uncovered in React Server Components (RSC) and the Next.js App Router — tracked as CVE-2025-55182, with CVE-2025-66478 later merged as a duplicate — that allows attackers to execute arbitrary code on servers by exploiting insecure Flight protocol deserialization (CWE-502), earning the flaw a maximum CVSS score of 10.0.

How was it Discovered, and Why is there a Duplicate CVE?

The issue was discovered by researcher Lachlan Davidson via the Meta Bug Bounty program, who reported it to the React team on November 29, 2025. During early analysis, Next.js was assigned a separate CVE because of how it “vendors” React internally, i.e., Next.js ships its own bundled build of React rather than consuming it as a traditional external dependency. 

As a result:

  • Standard SCA tools may not detect the React vulnerability inside Next.js.
  • The vulnerability initially appeared to be unique to Next.js, prompting a separate CVE (CVE-2025-66478 exploit).

However, after a deeper investigation confirmed that both identifiers referred to the same underlying flaw: the insecure parsing logic in React Server Components, the US National Vulnerability Database later rejected CVE-2025-66478

Note: This often happens when products that integrate the same vulnerable component receive temporary CVE assignments that are consolidated once root cause analysis is complete.

Who is Impacted?

The CVE-2025-55182 vulnerability affects any application that uses React Server Components or any framework that implements the RSC Flight protocol, including those that do not explicitly use server functions, if RSC is enabled.

Here is a complete breakdown:

Component / LibraryVulnerable VersionsPatched Versions
Core React RSC Packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)19.0.0, 19.1.0, 19.1.1, 19.2.019.0.1, 19.1.2, 19.2.1
Next.js (App Router)15.x, 16.x, and canary builds from 14.3.0-canary.7715.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
Other Frameworks (React Router unstable RSC APIs, Waku, RedwoodSDK, Parcel RSC plugin, Vite RSC plugin)Versions using vulnerable React RSC implementationsLatest versions with fixed React dependency

Not Affected

  • Next.js Pages Router
  • Next.js 13.x and stable 14.x
  • Applications using only client-side rendering
  • Deployments using Edge Runtime

How Can a Potential Attack be Executed?

Exploitation of the React Server Components (CVE-2025-55182 exploit), also known as React2Shell, follows a reliable sequence that abuses an unsafe deserialization flaw in the RSC Flight protocol to target React Server Function endpoints, which exist by default in Next.js App Router applications.

1. Crafting the Malicious HTTP Request

The attack begins with an unauthenticated attacker sending a specially crafted multipart HTTP POST request to a server function endpoint.

  • The request includes internal headers such as Next-Action: x, which trigger deserialization. The action identifier itself does not matter because the exploit runs before the action is validated.
  • The payload is designed to manipulate the Flight protocol’s colon-delimited reference system (for example, $1:path:to:prop) to prepare the prototype pollution attack.

2. Triggering Unsafe Deserialization

The vulnerability arises from RSC parsing logic that attempts to resolve nested properties without verifying ownership.

  • By supplying references such as $1:__proto__: then, the attacker forces the parser to climb the prototype chain, allowing pollution of Object.prototype, meaning all future objects inherit the malicious modification.
  • The attacker replaces the internal Chunk.prototype.then method with one that evaluates arbitrary JavaScript via the Function constructor.

3. Achieving Remote Code Execution

Once the server begins processing the polluted prototype method, the injected function executes within the server environment.

  • The attacker can run privileged Node.js code, such as process.mainModule.require('child_process').execSync('COMMAND'), which results in complete remote command execution, enabling actions like environment variable theft, credential harvesting, malware installation, or server takeover.
  • Exploitation is confirmed to work even on a default Next.js project created using create-next-app.

4. Retrieving Output via the Redirect Method

In production deployments, error output is often suppressed. To reliably exfiltrate results, attackers use a technique known as the Redirect method.

  • The payload triggers a crafted NEXT_REDIRECT error, embedding base64-encoded command output inside the error’s digest field.
  • Next.js converts this into an HTTP 303 response with the encoded output stored in the x-action-redirect header.
  • The attacker simply reads this header to confirm successful execution and extract the command output.

What is the Impact of This Vulnerability?

Driven by the exploit’s reliability, severity, and the widespread use of technologies like React Server Components and the Next.js App Router, the impact of React2Shell is considered critical, as explained under:

Severity and Exploit Reliability

The flaw carries the maximum CVSS score of 10.0, reflecting how dangerous and easily exploitable it is:

  • Unauthenticated Remote Code Execution: Attackers can run arbitrary commands on the server without credentials or prior access.
  • Works on Default Setups: Even a freshly generated create-next-app project is immediately exploitable with no developer modifications.
  • Predictable Success: Because the vulnerability stems from deterministic deserialization logic, exploitation has shown near-100 percent reliability.

Consequences of Successful Exploitation

Once exploited, the vulnerability enables complete server compromise:

  • Credential Theft: Attackers can extract environment variables, cloud credentials (such as AWS keys), and other sensitive configuration files.
  • Malware Deployment: Security teams have observed automated installation of cryptocurrency miners like XMRig following successful RCE.
  • System-Level Access: Reconnaissance commands, such as whoami, id, and file access (e.g., /etc/passwd) have been seen in active attacks, including container and Kubernetes cluster compromise.
  • Lateral Movement: With full Node.js execution, attackers can pivot deeper into connected networks and cloud environments.

Note: The flaw was rapidly weaponized, added to the KEV catalog on December 5, 2025, and targeted within hours by China-linked groups such as Earth Lamia and Jackpot Panda.

Astra Security’s Vulnerability Scanner is Actively Detecting React2Shell, the Critical React and Next.js RCE Vulnerability

Astra Security’s research team continuously monitors emerging threats like React2Shell, enabling rapid development of detection logic tailored to real-world exploit behavior. Our scanner now actively identifies vulnerable React Server Component implementations, unsafe Flight protocol endpoints, and known exploit signatures used in React and Next.js RCE attacks.

Are your RSC endpoints still exposed to React2Shell?

Scan Now
character

What Can You Do?

The only reliable way to protect against React2Shell (CVE-2025-55182 / CVE-2025-66478 vulnerability) is to immediately upgrade all affected React and Next.js components, since no configuration workaround can fix the underlying deserialization flaw. 

Next.js users should update to the patched versions of their major release lines, downgrade vulnerable canary releases, and upgrade React’s RSC packages.

While patching is mandatory, you should also deploy updated WAF rules to block malicious multipart RSC payloads, scan environments for CVE-2025-55182 detection, and review logs for indicators of exploitation. 

If you suspect you may have been compromised, isolate affected servers, rotate secrets, and perform a full incident response investigation

Hand-picked articles for you

Nodemailer (npm) improper TLS certificate validation vulnerability
Vulnerability

Nodemailer Improper Certificate Validation Allows MITM

Avatar photo
Ephrim Holyson
June 2nd, 2026
vulnerability prioritization (1)
Vulnerability

What is Vulnerability Prioritization & Why Now?

Avatar photo
Keshav Malik
June 1st, 2026
Vulnerability

Stored XSS in HTML Report Generator

Avatar photo
Ephrim Holyson
May 25th, 2026

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Psst! Hi there. We're Astra.

We make security simple and hassle-free for thousands of businesses worldwide.

Our security products include a vulnerability scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

Speak to Sales Get a Pentest
earth

Made with ❤️ in USA  India

Copyright © 2026 ASTRA IT, Inc. All Rights Reserved.

Privacy Policy Terms of Service Report a Vulnerability