CVE-2025-55182: Understanding and Mitigating the Critical React2Shell Vulnerability

On December 3, 2025, a critical Remote Code Execution (RCE) vulnerability was disclosed in the React ecosystem, sending shockwaves through the web development community. This vulnerability, tracked as CVE-2025-55182 and nicknamed "React2Shell," has been assigned the maximum severity rating of CVSS 10.0 and affects React Server Components (RSC) across the React 19 ecosystem.

What is CVE-2025-55182?

CVE-2025-55182 represents a logic flaw within the "Flight" protocol, the mechanism React uses to communicate between the server and client components. This vulnerability stems from unsafe deserialization practices in how React Server Components process incoming data.

Technical Background: The Flight Protocol

React Server Components use a specialized protocol called "Flight" to serialize and deserialize data exchanged between client and server. The Flight protocol enables React to transmit complex JavaScript objects, functions, and component state across the network boundary.

During normal operation, the server receives "chunks" of serialized data from clients. These chunks can reference each other and contain complex nested structures. The vulnerability arises because the server fails to validate the structure correctly when receiving specially crafted payloads.

The Root Cause: Unsafe Deserialization

The vulnerability is characterized as a logical deserialization vulnerability where the server processes RSC payloads in an unsafe manner. The core issue lies in how React's code handles property access during deserialization.

In JavaScript, when you access an object property using bracket notation (like obj[key]), the language doesn't just check the object's own properties, it traverses the entire prototype chain. The vulnerable versions of React failed to verify whether a requested key was actually a legitimate property of the object being accessed, allowing attackers to reach the object's prototype.

This prototype pollution primitive can be chained with other execution gadgets in the Flight protocol implementation to achieve remote code execution. Specifically, attackers can manipulate the deserialization process to control the _response object and inject malicious code through blob deserialization handlers.

How the Exploit Works

The exploitation chain follows these steps:

1. Crafted Payload Creation: An attacker creates a specially formatted HTTP POST request containing malicious Flight protocol chunks

2. Prototype Pollution: The malicious chunks exploit the unsafe property access to pollute object prototypes

3. Gadget Chain Activation: The attacker leverages internal React objects (particularly the _response field) to control execution flow

4. Code Execution: Through blob deserialization (using the $B prefix in the Flight protocol), the attacker triggers the JavaScript Function constructor with arbitrary code

5. Promise Resolution: The crafted function is returned as a .then() method and gets called during promise resolution, executing the attacker's code

What makes this particularly severe is that exploitation can occur in apps that support React Server Components, even if the React Server Function endpoints are not in use.

Affected Versions and Products

React Core Packages

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React packages:

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

Downstream Frameworks

Multiple popular frameworks that embed these React packages are also affected:

• Next.js: Versions 16.0.0-canary.0 through 16.0.6, and multiple 15.x branches

• React Router: When using React Server Components mode

• Waku: Framework implementations using RSC

• Expo: Applications with RSC support

• Redwood SDK: Affected versions

• Vite RSC Plugin (@vitejs/plugin-rsc)

• Parcel RSC Plugin (@parcel/rsc)

Is Your Application Vulnerable?

Your application is vulnerable if it meets these criteria:

1. Uses React 19: Your application runs any of the affected React 19 versions

2. Implements React Server Components: Even if you don't explicitly use Server Functions, having RSC support makes you vulnerable

3. Exposes Server Endpoints: Any publicly accessible endpoint that processes Flight protocol requests

You can check your application's dependencies by running:

npm audit

Look for output mentioning next or the React packages listed above with severity "critical" and references to CVE-2025-55182.

Active Exploitation in the Wild

The threat landscape evolved rapidly following disclosure:

• The first functional proof-of-concept was published on December 5, 2025

• Amazon confirmed active exploitation by China-nexus threat groups including "Earth Lamia" and "Jackpot Panda"

• Multiple security vendors reported seeing opportunistic scanning and exploitation attempts

• Exploitation attempts increased by 2,775% within 24 hours of the PoC release

The attacks are characterized by:

• PowerShell-based payloads for proof-of-execution probes

• AMSI bypass techniques using reflection

• Download-and-execute stagers for secondary payloads

• Integration into existing botnet exploitation toolkits

How to Fix CVE-2025-55182

Immediate Action: Update to Patched Versions

The fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1 of the affected React packages. You must upgrade immediately.

For React Applications

Update your React packages to the latest patched versions:

npm install [email protected] [email protected]

npm install [email protected]

# Or for other bundlers:

# npm install [email protected]

# npm install [email protected]

Verify the update:

npm list react react-dom

For Next.js Applications

Upgrade to the latest stable patched versions:

# For Next.js 16.x

npm install [email protected]

# For Next.js 15.x (choose the appropriate version)

npm install [email protected]

# Or: [email protected], [email protected], [email protected], [email protected], [email protected]

After updating, rebuild your application:

npm run build

For Other Affected Frameworks

Consult your framework's security advisories:

• React Router: Update to the latest version with RSC fixes

• Waku: Check the project's GitHub for security updates

• Expo: Follow Expo's security guidance for RSC implementations

Deploy Updates to Production

This vulnerability requires emergency patching outside normal update cycles:

1. Test the updates in a staging environment first

2. Deploy immediately to all production environments

3. Verify the patched versions are running

4. Monitor for any exploitation attempts in your logs

Additional Mitigation Strategies

While patching is the primary defense, consider these complementary measures:

1. Web Application Firewall (WAF) Rules

Several security vendors have released WAF rules to detect and block exploitation attempts:

• Google Cloud Armor: Provides detection rules for CVE-2025-55182

• Akamai: Deployed Adaptive Security Engine Rapid Rule 3000976

• Fastly NGWAF: Offers virtual patching and detection capabilities

These provide breathing room while you patch but should not replace actual updates.

2. Network Segmentation

Limit exposure of affected applications:

• Place RSC endpoints behind authentication layers where possible

• Implement network segmentation to isolate vulnerable services

• Use API gateways to filter malicious requests

3. Runtime Monitoring

Deploy runtime security tools to detect exploitation:

• Monitor for unexpected child process spawning

• Watch for suspicious command execution patterns

• Alert on PowerShell execution with AMSI bypass signatures

• Track unusual network connections from web application processes

4. Audit and Inventory

Maintain a comprehensive inventory of:

• All applications using React 19

• Frameworks that depend on React Server Components

• Deployment locations for each affected application

Detection and Indicators of Compromise

Watch for these indicators of potential exploitation:

Request Patterns

• POST requests to RSC endpoints with suspicious $ACTION_REF_0 or $ACTION_0:0 parameters

• Unusual Flight protocol payloads in request bodies

• Requests with Next-Action headers pointing to non-existent actions

System Behavior

• Unexpected PowerShell process launches from Node.js processes

• File creation in /tmp or other temporary directories

• Outbound connections to unknown IP addresses

• Encoded PowerShell commands (-enc parameter usage)

• AMSI bypass attempts in logs

Log Analysis

Examine your application and web server logs for:

POST /path/to/server-action

Content-Type: multipart/form-data

[Suspicious Flight protocol chunks]

Long-Term Security Recommendations

Beyond immediate patching, organizations should:

1. Establish Emergency Patching Procedures: Have processes in place for rapid deployment of critical security updates
2. Subscribe to Security Advisories: Monitor React and Next.js security channels for future disclosures
3. Implement Security Testing: Include deserialization vulnerability testing in your security assessment processes
4. Review RSC Usage: Evaluate whether all your RSC implementations are necessary and properly secured
5. Adopt Security Scanning Tools: Use tools that can automatically detect vulnerable dependencies

Lessons from React2Shell

This vulnerability underscores several important security principles:

Deserialization is Dangerous

Unsafe deserialization continues to be a critical vulnerability class. Any system that deserializes untrusted data must implement rigorous validation.

Default Configurations Matter

The fact that standard, out-of-the-box configurations were vulnerable amplifies the impact. Secure-by-default should be the standard for all frameworks.

Ecosystem Vulnerabilities Cascade

A vulnerability in a core library like React affects countless downstream frameworks and applications, creating widespread exposure.

Rapid Exploitation is the New Normal

With threat actors exploiting vulnerabilities within hours of disclosure, traditional patch cycles are too slow for critical vulnerabilities.

Conclusion

CVE-2025-55182 represents one of the most critical vulnerabilities to affect the React ecosystem. With a CVSS score of 10.0, active exploitation in the wild, and near-universal impact across React Server Component implementations, this vulnerability demands immediate attention.

The window for safe mitigation is rapidly closing. Organizations must:

1. Immediately inventory all React 19 and Next.js deployments

2. Patch urgently to versions 19.0.1, 19.1.2, 19.2.1 or later

3. Deploy WAF rules as temporary protection

4. Monitor actively for exploitation attempts

5. Verify protection through security scanning

The React team responded quickly with patches, and the security community has provided comprehensive detection and mitigation guidance. However, the responsibility now falls on development and operations teams to deploy these fixes before attackers can leverage this vulnerability for malicious purposes.

Don't wait, patch now, verify your protection, and stay vigilant. The React2Shell vulnerability is a stark reminder that in modern web security, speed matters.

References and Resources

• React Official Security Advisory

• Vercel Next.js Security Notice

• Google Cloud Security Guidance

• CVE-2025-55182 Official Entry

• Technical Analysis by Wiz Security