React2Shell, Critical RCE in React Server Components
If you’re running React Server Components, you need to know about this one.
On December 3rd, 2025, the React team disclosed CVE-2025-55182, a critical remote code execution vulnerability in React Server Components. They gave it a CVSS score of 10.0, the maximum severity rating. The security community quickly nicknamed it “React2Shell,” a reference to the infamous Log4Shell vulnerability that kept security teams up at night back in 2021.
The vulnerability was discovered by security researcher Lachlan Davidson, who reported it to Meta on November 29th. Within just four days, the React team had developed patches and coordinated with major cloud providers to deploy temporary mitigations. That’s an impressive response time, but it wasn’t fast enough to prevent exploitation.
Here’s what makes this different: this one was exploited in the wild within 48 hours of disclosure. Chinese state-affiliated threat groups were already scanning for vulnerable systems by December 4th. By December 5th, we saw confirmed compromises with cryptocurrency miners being deployed.
What’s the actual vulnerability?
The issue is in how React’s “Flight” protocol (used for server components) deserializes incoming data. Basically, when your React app receives a request for a server component, it needs to reconstruct JavaScript objects from the serialized payload. The problem? React wasn’t properly validating what properties those objects could have.
An attacker can craft a malicious payload that tricks React into accessing constructor.constructor, which is basically a backdoor to JavaScript’s Function constructor. Once they have that, they can inject and execute arbitrary code on your server. No authentication needed. No user interaction required. Just send a POST request to any React Server Component endpoint and you’re in.
The exploit reliability is near 100%. This isn’t a memory corruption bug that might crash, it’s a logic flaw that consistently gives attackers code execution.
Who’s affected?
If you’re using React 19.x with Server Components, you’re vulnerable. That includes:
- Next.js 15.x (before 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7)
- Next.js 16.x (before 16.0.7)
- React Router, Waku, RedwoodJS, or any framework using React Server Components
Here’s the kicker: even if you didn’t explicitly write any server functions, you’re still vulnerable if you’re using the App Router in Next.js. The default setup includes RSC endpoints that attackers can target.
If you’re still on Next.js 13 or 14 stable with the Pages Router, you’re safe. Client-side only React apps are also fine. This is specifically a server component issue.
What happened after disclosure?
The timeline is honestly impressive, in the worst way:
December 3rd: Patches released, vulnerability disclosed.
December 4th: First working exploit published. AWS reports that Chinese APT groups (Earth Lamia, Jackpot Panda) are already scanning and attempting exploitation.
December 5th: Widespread attacks confirmed. Wiz Research observes the first successful compromises. GreyNoise sees a surge in exploit attempts. CISA adds it to the Known Exploited Vulnerabilities catalog.
December 6-10th: Post-exploitation activity everywhere. Attackers are deploying:
- Cryptocurrency miners (XMRig)
- Web shells disguised as “React file managers”
- Botnet malware (Mirai variants)
- RATs and backdoors
The attackers aren’t subtle either. They’re harvesting environment variables (AWS keys, API tokens), running system reconnaissance, and then fetching second-stage payloads. In some cases, they’re selling access to compromised servers on initial access broker forums.
What should you do right now?
Update immediately. That’s it. That’s the fix.
For React apps:
npm install react@19.2.1 react-dom@19.2.1For Next.js apps:
npm install next@16.0.7
# or whatever the latest patched version is for your minor versionThe patched versions (React 19.0.1, 19.1.2, 19.2.1 and corresponding Next.js releases) include stricter validation in the deserialization logic. That’s the only complete fix.
Don’t rely on WAFs alone. Yes, Vercel, AWS, and Cloudflare all deployed WAF rules. But those are temporary mitigations. Attackers will find ways around them. You need to patch the underlying code.
If you suspect you’re compromised
Look for these indicators:
- Unusual child processes spawned by your Node.js app
- High CPU usage (cryptocurrency mining)
- New files in your application directories (web shells)
- Outbound connections to unknown IPs
- Unusual access to environment variables or secrets
If you find anything suspicious, isolate the system immediately, preserve logs, and rotate all credentials and API keys. Check your cloud billing too, cryptominers love to run up compute costs.
For those building detection rules, look for POST requests to RSC endpoints (often /__rsc or similar paths) with suspicious patterns in the request body. Specifically, patterns containing “constructor.constructor” or unusual object structure with thenable properties. Most SIEM and WAF solutions can be configured to alert on these patterns.
The bigger picture
What makes React2Shell particularly nasty is the combination of factors:
- Wide reach: React is used by about 40% of developers, Next.js by 20%
- Default vulnerability: No special configuration needed to be exploitable
- High reliability: The exploit works almost every time
- Rapid exploitation: Threat actors moved from disclosure to active attacks in under 48 hours
This is what modern vulnerability disclosure looks like when you’re dealing with a ubiquitous framework. The window between “patch available” and “mass exploitation” is measured in hours, not days or weeks.
For security leaders, this is a reminder that your patch cadence needs to match the threat actor cadence. Waiting for your monthly maintenance window isn’t fast enough anymore. Critical vulnerabilities in widely-used frameworks need same-day response.
Where we are today
The good news: the patched versions have been out for over a week now. If you updated to Next.js 16.0.7 or React 19.2.1, you’re protected.
The bad news: there are still vulnerable instances running in production. Attackers know this, which is why scanning and exploitation attempts continue.
If you’re responsible for React/Next.js applications, take 10 minutes today to verify your versions. Check your package.json, run your dependency audit, scan your container images. Make sure you’re not running any of the vulnerable versions.
And if you haven’t already, set up automated alerts for security advisories from React and Next.js. GitHub Security Advisories, Dependabot, and Renovate can all help with this. The next critical vulnerability will come eventually, and you want to know about it immediately, not when your security vendor sends you a bulletin three days later.
References and further reading
If you want to dive deeper into the technical details, search for these resources (all published in early December 2025):
- React Security Advisory for CVE-2025-55182 (official Meta/React advisory with patch information)
- react2shell.com (Lachlan Davidson’s site with proof-of-concept and technical breakdown)
- Wiz Research blog on React2Shell (comprehensive analysis of exploitation in the wild)
- Palo Alto Unit 42 report on CVE-2025-55182 (detailed post-exploitation behavior and threat actor TTPs)
- AWS Security Blog coverage (APT activity and rapid exploitation by nation-state actors)
- CISA Known Exploited Vulnerabilities catalog entry
The CVE is tracked as CVE-2025-55182 with CWE-502 (Deserialization of Untrusted Data). The specific vulnerable packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
Bottom line: If you’re running React Server Components in production, verify you’re on patched versions today. The vulnerability is being actively exploited, and the attackers aren’t slowing down.
Stay safe out there.