{"id":43924,"date":"2025-12-09T15:06:10","date_gmt":"2025-12-09T09:36:10","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=43924"},"modified":"2025-12-19T15:10:10","modified_gmt":"2025-12-19T09:40:10","slug":"cve-2025-55182","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2025-55182\/","title":{"rendered":"Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 \/ CVE-2025-66478)"},"content":{"rendered":"<div class=\"gb-container gb-container-e43a8917\">\n\n<p class=\"wp-block-paragraph\"><strong>Product Name:<\/strong> React Server Components, Next.js App Router<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vulnerability:<\/strong> Remote Code Execution via Insecure Deserialization (Flight Protocol)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Vulnerable Version:<\/strong> React 19.0.0\u201319.2.0, Next.js 15.x and 16.x App Router<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>CVE: <\/strong>CVE-2025-55182 (duplicate: CVE-2025-66478)<em>t here<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note: <\/strong>Applications are vulnerable even if they don\u2019t explicitly use server functions, as long as they support React Server Components<\/p>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">React2Shell is a severe remote, unauthenticated RCE vulnerability recently uncovered in React Server Components (RSC) and the Next.js App Router \u2014 tracked as <strong>CVE-2025-55182, with CVE-2025-66478 later merged as a duplicate<\/strong> \u2014 that allows attackers to execute arbitrary code on servers by exploiting insecure Flight protocol deserialization <em>(CWE-502)<\/em>, earning the flaw a maximum <strong>CVSS score of 10.0<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_was_it_Discovered_and_Why_is_there_a_Duplicate_CVE\"><\/span>How was it Discovered, and Why is there a Duplicate CVE?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The issue was discovered by researcher Lachlan Davidson via the Meta Bug Bounty program, who reported it to the React team on November 29, 2025. During early analysis, Next.js was assigned a separate CVE because of how it \u201cvendors\u201d React internally, i.e., Next.js ships its own bundled build of React rather than consuming it as a traditional external dependency.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As a result:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standard SCA tools may not detect the React vulnerability inside Next.js.<\/li>\n\n\n\n<li>The vulnerability initially appeared to be unique to Next.js, prompting a separate CVE (CVE-2025-66478 exploit).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">However, after a deeper investigation confirmed that both identifiers referred to the same underlying flaw: the insecure parsing logic in React Server Components, the US National Vulnerability Database later <strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-66478\" target=\"_blank\" rel=\"noopener\">rejected CVE-2025-66478<\/a>.&nbsp;<\/strong><\/p>\n\n\n<div class=\"gb-container gb-container-ae839a6d\">\n\n<p class=\"wp-block-paragraph\"><strong>Note: <\/strong>This often happens when products that integrate the same vulnerable component receive temporary CVE assignments that are consolidated once root cause analysis is complete.<\/p>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Who_is_Impacted\"><\/span>Who is Impacted?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The CVE-2025-55182 vulnerability affects any application that uses React Server Components or any framework that implements the RSC Flight protocol, including those that do not explicitly use server functions, if RSC is enabled.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is a complete breakdown:<\/p>\n\n\n\n<div id=\"tablepress-333-scroll-wrapper\" class=\"tablepress-scroll-wrapper\">\n<table id=\"tablepress-333\" class=\"tablepress tablepress-id-333 column1-color tablepress-responsive\">\n<thead>\n<tr class=\"row-1\">\n\t<th class=\"column-1\">Component \/ Library<\/th><th class=\"column-2\">Vulnerable Versions<\/th><th class=\"column-3\">Patched Versions<\/th>\n<\/tr>\n<\/thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n\t<td class=\"column-1\">Core React RSC Packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)<\/td><td class=\"column-2\">19.0.0, 19.1.0, 19.1.1, 19.2.0<\/td><td class=\"column-3\">19.0.1, 19.1.2, 19.2.1<\/td>\n<\/tr>\n<tr class=\"row-3\">\n\t<td class=\"column-1\">Next.js (App Router)<\/td><td class=\"column-2\">15.x, 16.x, and canary builds from 14.3.0-canary.77<\/td><td class=\"column-3\">15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7<\/td>\n<\/tr>\n<tr class=\"row-4\">\n\t<td class=\"column-1\">Other Frameworks (React Router unstable RSC APIs, Waku, RedwoodSDK, Parcel RSC plugin, Vite RSC plugin)<\/td><td class=\"column-2\">Versions using vulnerable React RSC implementations<\/td><td class=\"column-3\">Latest versions with fixed React dependency<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<!-- #tablepress-333 from cache -->\n\n\n\n<h3 class=\"wp-block-heading\">Not Affected<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next.js Pages Router<\/li>\n\n\n\n<li>Next.js 13.x and stable 14.x<\/li>\n\n\n\n<li>Applications using only client-side rendering<\/li>\n\n\n\n<li>Deployments using Edge Runtime<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Can_a_Potential_Attack_be_Executed\"><\/span>How Can a Potential Attack be Executed?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Exploitation of the React Server Components (CVE-2025-55182 exploit), also known as React2Shell, follows a reliable sequence that abuses an unsafe deserialization flaw in the RSC Flight protocol to target React Server Function endpoints, which exist by default in Next.js App Router applications.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Crafting the Malicious HTTP Request<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The attack begins with an unauthenticated attacker sending a specially crafted <strong>multipart HTTP POST request<\/strong> to a server function endpoint.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The request includes internal headers such as <code>Next-Action: x<\/code>, which trigger deserialization. The action identifier itself does not matter because the exploit runs before the action is validated.<\/li>\n\n\n\n<li>The payload is designed to manipulate the Flight protocol\u2019s colon-delimited reference system (for example, <code>$1:path:to:prop<\/code>) to prepare the prototype pollution attack.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. Triggering Unsafe Deserialization<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerability arises from RSC parsing logic that attempts to resolve nested properties without verifying ownership.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>By supplying references such as <code>$1:__proto__:<\/code> then, the attacker forces the parser to climb the prototype chain, allowing pollution of <code>Object.prototype<\/code>, meaning all future objects inherit the malicious modification.<\/li>\n\n\n\n<li>The attacker replaces the internal <code>Chunk.prototype.then<\/code> method with one that evaluates arbitrary JavaScript via the Function constructor.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Achieving Remote Code Execution<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Once the server begins processing the polluted prototype method, the injected function executes within the server environment.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The attacker can run privileged Node.js code, such as <code>process.mainModule.require('child_process').execSync('COMMAND')<\/code>, which results in complete remote command execution, enabling actions like environment variable theft, credential harvesting, malware installation, or server takeover.<\/li>\n\n\n\n<li>Exploitation is confirmed to work even on a default Next.js project created using <code>create-next-app<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4. Retrieving Output via the Redirect Method<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In production deployments, error output is often suppressed. To reliably exfiltrate results, attackers use a technique known as the <strong>Redirect method<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The payload triggers a crafted <code>NEXT_REDIRECT<\/code> error, embedding base64-encoded command output inside the error\u2019s <code>digest <\/code>field.<\/li>\n\n\n\n<li>Next.js converts this into an HTTP 303 response with the encoded output stored in the <code>x-action-redirect<\/code> header.<\/li>\n\n\n\n<li>The attacker simply reads this header to confirm successful execution and extract the command output.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_the_Impact_of_This_Vulnerability\"><\/span>What is the Impact of This Vulnerability?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Driven by the exploit\u2019s reliability, severity, and the widespread use of technologies like React Server Components and the Next.js App Router, <strong>the impact of React2Shell is considered critical, <\/strong>as explained under:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Severity and Exploit Reliability<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The flaw carries the maximum <strong>CVSS score of 10.0<\/strong>, reflecting how dangerous and easily exploitable it is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unauthenticated Remote Code Execution:<\/strong> Attackers can run arbitrary commands on the server without credentials or prior access.<\/li>\n\n\n\n<li><strong>Works on Default Setups:<\/strong> Even a freshly generated <code>create-next-app<\/code> project is immediately exploitable with no developer modifications.<\/li>\n\n\n\n<li><strong>Predictable Success:<\/strong> Because the vulnerability stems from deterministic deserialization logic, exploitation has shown <strong>near-100 percent reliability<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Consequences of Successful Exploitation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Once exploited, the vulnerability enables complete server compromise:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential Theft:<\/strong> Attackers can extract environment variables, cloud credentials (such as AWS keys), and other sensitive configuration files.<\/li>\n\n\n\n<li><strong>Malware Deployment:<\/strong> Security teams have observed automated installation of cryptocurrency miners like XMRig following successful RCE.<\/li>\n\n\n\n<li><strong>System-Level Access:<\/strong> Reconnaissance commands, such as <code>whoami, id<\/code>, and file access (e.g., <code>\/etc\/passwd<\/code>) have been seen in active attacks, including container and Kubernetes cluster compromise.<\/li>\n\n\n\n<li><strong>Lateral Movement:<\/strong> With full Node.js execution, attackers can pivot deeper into connected networks and cloud environments.<\/li>\n<\/ul>\n\n\n<div class=\"gb-container gb-container-72c615f6\">\n\n<p class=\"wp-block-paragraph\">Note: The flaw was rapidly weaponized, added to the KEV catalog on December 5, 2025, and targeted within hours by China-linked groups such as Earth Lamia and Jackpot Panda.<\/p>\n\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Astra_Securitys_Vulnerability_Scanner_is_Actively_Detecting_React2Shell_the_Critical_React_and_Nextjs_RCE_Vulnerability\"><\/span><a href=\"https:\/\/www.getastra.com\/services\/vulnerability-scanning-services\">Astra Security\u2019s Vulnerability Scanner<\/a> is Actively Detecting React2Shell, the Critical React and Next.js RCE Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"792\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/12\/3422ed17-image.png\" alt=\"\" class=\"wp-image-43926\" srcset=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/12\/3422ed17-image.png 1600w, \/cdn-cgi\/image\/width=1536,height=760,fit=crop,quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2025\/12\/3422ed17-image.png 1536w\" sizes=\"auto, (max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Astra Security\u2019s research team continuously monitors emerging threats like React2Shell, enabling rapid development of detection logic tailored to real-world exploit behavior. Our scanner now actively identifies vulnerable React Server Component implementations, unsafe Flight protocol endpoints, and known exploit signatures used in React and Next.js RCE attacks.<\/p>\n\n\n\n<style>\n.ctaSaasCheckWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2025\/08\/0737b9ac-deepblue-bg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: 275px;\n  border-radius: 10px;\n  margin: 20px 0px;\n}\n.pentestHeadingDB{\n  color: #fff;\n  font-size: 24px;\n  font-weight: 600;\n  max-width: 450px;\n}\n.ctaSaasCheckWrapHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n.ctaOneDB {\n    display: flex;\n  align-items: center;\n  padding: 1rem 1.5rem;\n  border-radius: 12px;\n  background-color: #FCBB2F;\n  text-decoration: none;\n  grid-gap: .5rem;\n  color: #000!important;\n  font-size: 18px;\n  font-weight: 500;\n  min-height: 3.75rem;\n  max-height: 3.75rem;\n  box-shadow: 0 4px 4px #00000014, 0 0 0 1px #c08e24, inset 0 -4px #0000003d;\n}\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n.ctaSaasCheckWrapImg{\n  position: absolute;\n  bottom: 0px;\n  right: 10px;\n  height: 250px;\n  width: 240px;\n}\n@media(max-width: 768px){\n}\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n   .ctaSaasCheckWrapImg{\n     display: none;\n   }\n}\n<\/style>\n\n<div class=\"ctaSaasCheckWrap\">\n<p class=\"pentestHeadingDB\">Are your RSC endpoints still exposed to React2Shell?<\/p>\n<div class=\"ctaSaasCheckWrapHead\">\n  <a class=\"ctaOneDB\" href=\"\/contact-us\">Scan Now<\/a>\n<\/div>\n<img decoding=\"async\" class=\"ctaSaasCheckWrapImg\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" \/>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Can_You_Do\"><\/span>What Can You Do?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The only reliable way to protect against React2Shell (CVE-2025-55182 \/ CVE-2025-66478 vulnerability) is to immediately upgrade all affected React and Next.js components, since no configuration workaround can fix the underlying deserialization flaw.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next.js users should update to the patched versions of their major release lines, downgrade vulnerable canary releases, and upgrade React\u2019s RSC packages.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While patching is mandatory, you should also deploy updated WAF rules to block malicious multipart RSC payloads, scan environments for CVE-2025-55182 detection, and review logs for indicators of exploitation.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you suspect you may have been compromised, isolate affected servers, rotate secrets, and perform a full incident response investigation<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product Name: React Server Components, Next.js App Router Vulnerability: Remote Code Execution via Insecure Deserialization (Flight Protocol) Vulnerable Version: React 19.0.0\u201319.2.0, Next.js 15.x and 16.x App Router CVE: CVE-2025-55182 (duplicate: CVE-2025-66478)t here Note: Applications are vulnerable even if they don\u2019t explicitly use server functions, as long as they support React Server Components React2Shell is a &#8230; <a title=\"Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 \/ CVE-2025-66478)\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2025-55182\/\" aria-label=\"Read more about Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 \/ CVE-2025-66478)\">Read more<\/a><\/p>\n","protected":false},"author":111,"featured_media":43931,"comment_status":"open","ping_status":"0","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[723],"tags":[],"class_list":["post-43924","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/43924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/111"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=43924"}],"version-history":[{"count":3,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/43924\/revisions"}],"predecessor-version":[{"id":44193,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/43924\/revisions\/44193"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/43931"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=43924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=43924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=43924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}