✉️info@mh-service.de | 📞+49 (7275) 9692381
Contact EN DE
Critical RCE · New CVEs · Active multi-actor exploitation

React2Shell – critical RCE vulnerability in React Server Components & Next.js

React2Shell (CVE-2025-55182) is a pre-auth remote code execution vulnerability in the Flight protocol used by React Server Components. A second wave of related issues (CVE-2025-55183, CVE-2025-55184 and CVE-2025-67779) shows that the initial patch set was incomplete – with additional information disclosure and denial-of-service risks and rapidly evolving in-the-wild exploitation.

Last updated: 15 December 2025 – includes follow-on CVEs, incomplete patch details and observed attack campaigns.

Call 24/7 Hotline Request Incident Response Support
10+ years incident response & DFIR EU-based digital forensics & IR team React / Next.js / modern web stacks
CVE
CVE-2025-55182
CVE-2025-55183
CVE-2025-55184
CVE-2025-67779
Rating
CVE-2025-55182: CVSS 10.0 (critical)
Follow-on CVEs: info disclosure / DoS
Attack type
Pre-auth RCE via unsafe deserialization (Flight protocol)
+ follow-on info disclosure & denial-of-service issues
Status
Broad multi-actor exploitation (espionage & crimeware), initial patch wave incomplete; second wave React fixes released (target RSC 19.2.3)
(status around 15 Dec 2025)

Executive summary

What is React2Shell?

React2Shell is a vulnerability in how React Server Components accept and process data from the client. Attackers can send specially crafted Flight payloads that cause the server to misinterpret internal structures – up to and including execution of attacker-controlled code.

Who is affected?

Any application that uses React Server Components in vulnerable versions – either directly or indirectly via frameworks such as Next.js (App Router), React Router with RSC, Waku, RSC plugins for Parcel/Vite, or Redwood/Expo. Classic “client-only” React SPAs without RSC are not affected by this specific bug.

Why is it critical?

The vulnerability is remotely exploitable without authentication, has a CVSS score of 10.0, and affects a widely used technology ecosystem. Security vendors report active scanning and exploit attempts, including activity linked to state-sponsored groups and opportunistic cryptomining.

What changed after the first patches?

Follow-on research identified additional issues (CVE-2025-55183, CVE-2025-55184 and CVE-2025-67779) and showed that earlier guidance (e.g. stopping at 19.2.1 or 19.2.2) was incomplete. Defenders now need to consider information disclosure and DoS, and in practice should treat React RSC 19.2.3 as the current baseline.

Timeline (simplified)

  1. Late November 2025

    Responsible disclosure

    Researcher Lachlan Davidson reports a critical vulnerability in the Flight protocol of React Server Components to the React/Meta team.

  2. 3 December 2025

    Public advisories & initial patches

    React publishes an advisory for CVE-2025-55182; Next.js publishes its own advisory (CVE-2025-66478, later marked as a duplicate). Patched versions of the RSC packages and Next.js are released, focusing on the main RCE.

  3. Shortly after disclosure

    Proof-of-concepts & scanning

    Initial (partly broken) PoCs appear publicly. Security vendors observe automated internet-wide scans for vulnerable Next.js/RSC applications, mixed with fake or non-functional exploit code.

  4. Following days

    First wave of in-the-wild exploitation

    Threat intelligence feeds report exploitation “in the wild”, including attempts by APT groups and opportunistic attacks such as cryptomining and backdoors.

  5. 12 December 2025

    Multiple threat actors & complex campaigns

    Security telemetry shows China-nexus clusters (e.g. deploying the MINOCAT tunneler, SNOWLIGHT downloader, COMPOOD and HISONIC backdoors and ANGRYREBEL.LINUX) as well as financially motivated actors using XMRig cryptominers via small shell scripts. Activity targets cloud workloads (AWS, Alibaba) and generic VPS infrastructure.

  6. Mid December 2025

    Additional React CVEs & incomplete DoS patch

    Further analysis uncovers CVE-2025-55183 (information disclosure) and CVE-2025-55184 plus CVE-2025-67779 (DoS). One of the intermediate fixes (19.2.2) for the DoS issue is found to be insufficient, leading to a recommendation to move to React RSC 19.2.3 as the effective baseline.

Affected components & versions

React Server Components (RSC)

The core vulnerabilities reside in the React server libraries that implement the Flight protocol:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

RCE – CVE-2025-55182

Explicitly vulnerable versions:

  • 19.0.0
  • 19.1.0
  • 19.1.1
  • 19.2.0

RCE fixed in at least:

  • ≥ 19.0.1
  • ≥ 19.1.2
  • ≥ 19.2.1

Follow-on issues

  • CVE-2025-55183 – information disclosure
    → fixed in ≥ 19.2.2
  • CVE-2025-55184 – DoS
  • CVE-2025-67779 – DoS due to incomplete fix
    → both effectively fixed in 19.2.3

Practical recommendation: even if your main goal is to close the RCE, treat 19.2.3 as the effective baseline for RSC packages. Earlier “fixed” versions close the initial RCE, but leave information disclosure and/or DoS issues on the table.

Classic client-only React apps without an RSC server are not affected by React2Shell itself, although they may be vulnerable through other issues.

Next.js integration

Next.js integrates RSC functionality and exposes it via the App Router and server actions. A separate Next.js CVE (CVE-2025-66478) was initially assigned but has since been marked as a duplicate of CVE-2025-55182. From a defensive perspective, React’s RSC patch level is the source of truth – but you still need patched Next.js builds.

Vulnerable releases (selection)

  • 14.3.0-canary.77+ (certain canaries)
  • 15.x before fixed releases
  • 16.x before fixed releases

Patched releases (examples)

  • 15.0.5, 15.1.9, 15.2.6
  • 15.3.6, 15.4.8, 15.5.7
  • 16.0.7
  • 15.6.0-canary.58
  • 16.1.0-canary.12

Always cross-check with the current Next.js security advisory and ensure your lockfiles and transitive dependencies do not pull in vulnerable RSC packages.

Other affected frameworks & ecosystems

Beyond Next.js, any framework that uses React Server Components or the Flight protocol may be affected, including:

React Router (RSC mode) Waku @parcel/rsc @vitejs/plugin-rsc RedwoodSDK Expo with RSC support

In many SBOMs/SCA reports, these components only appear indirectly via React. A deeper dependency-tree analysis is therefore recommended.

Attack path – technical overview

The vulnerability is based on unsafe deserialization of Flight payloads in the React server. RSC clients send structured data representing component trees and server function calls. During decoding, some structures and keys are not validated strictly enough. Attackers can manipulate internal objects and reach code paths where attacker-controlled values are executed.

  1. Endpoint identification: RSC/server action endpoints can be discovered via typical routes, response headers, and framework signatures (e.g. Next.js App Router).
  2. Crafted Flight payload: Instead of legitimate data, the attacker sends a crafted payload that pollutes prototypes or abuses internal type markers.
  3. Unsafe decode & dispatch: The Flight decoder turns this into JavaScript objects and hands them to server logic. Insufficient validation allows attacker-controlled values to reach places that were not designed for user input.
  4. Gadget chain to RCE: By leveraging existing code paths (“gadgets”), attackers can ultimately execute arbitrary JavaScript in the context of the Node/Next.js process.
  5. Post-exploitation: Once code execution is achieved, typical follow-ups include access to secrets, planting backdoors, cryptomining, or lateral movement within internal networks.
PoC note: Many public “proof-of-concept” scripts are incomplete or exploit sloppy application logic (for example calling child_process.exec directly) instead of the underlying bug. Such PoCs should not be used blindly against production systems – they may be non-functional, outdated or even contain malware targeting researchers.

Observed exploitation chains in the wild

  • Espionage-focused activity: China-nexus clusters use React2Shell to deploy tooling such as the MINOCAT tunneler (Fast Reverse Proxy client), SNOWLIGHT downloader (part of VSHELL), COMPOOD and HISONIC implants, and ANGRYREBEL.LINUX, often targeting Linux/cloud infrastructure in APAC and global VPS providers.
  • Cryptomining & crimeware: financially motivated actors run simple one-shot commands from the compromised web process to download small shell scripts that install and persist XMRig cryptocurrency miners, sometimes under innocuous names and systemd services like “system-update-service”.
  • Infrastructure changes: scripts often create hidden directories (for example under a user’s home directory), masquerade binaries as common tools (such as sshd or vim), timestomp files and clear shell history to hinder forensics.
  • Exploit ecosystem: public exploit repositories have evolved from mostly non-functional examples to fully working payloads, including obfuscated variants and “web shell in one request” toolkits for Next.js.

Detection & telemetry

Infrastructure & runtime view

  • Process monitoring: unexpected child processes (shells, cryptominers, tunnellers, backdoors) spawned by Node/Next.js servers.
  • File activity: newly created binaries or scripts in app/temp directories or in hidden folders beneath user homes.
  • Network behaviour: connections from web server containers to unknown command-and-control hosts, VPS ranges or newly observed domains.
  • Security sensors: eBPF/syscall-based tools (e.g. Falco rules) that detect suspicious system calls originating from Next.js/Node processes.

HTTP, logs & application view

  • HTTP patterns: large, binary or oddly structured requests to routes associated with server components or server actions.
  • Error patterns: clusters of 5xx errors with RSC/Flight related stack traces, especially from a small set of source IPs.
  • WAF/IDS rules: enable current React2Shell signatures from your vendors; log and review blocked requests rather than simply discarding them.
  • Threat hunting: correlate suspicious HTTP requests with system events (process creation, tools being launched, config changes).

Selected indicators & hunting ideas

Threat intelligence providers have shared useful indicators and behaviours that defenders can look for in logs and EDR data:

  • Domains & IPs (examples): reactcdn.windowserrorapis[.]com (used by SNOWLIGHT), 82.163.22[.]139, 216.158.232[.]43, 45.76.155[.]14 (staging/command servers in observed campaigns).
  • Filesystem artefacts: hidden directories such as $HOME/.systemd-utils, binaries masquerading as sshd or vim in unusual locations, timestomping of newly dropped files.
  • Persistence mechanisms: new cron jobs, systemd units or rc scripts created shortly after suspicious HTTP activity; services with names that mimic legitimate update tooling (e.g. “system-update-service”).
  • Process lineage: system utilities like curl or wget spawned from the Node/Next.js process, immediately followed by execution of a new local binary or shell script.

Always combine these indicators with your own telemetry and up-to-date threat intel – lists are incomplete by design and evolve as new campaigns emerge.

Recommended actions & prioritisation

1. Patching & version management (top priority)

Many organisations patched quickly after the first advisory – but only for the initial RCE. With the additional CVEs and the incomplete DoS fix in 19.2.2, patching needs to be revisited.

  • Update React RSC packages:
    • For CVE-2025-55182 (RCE): at least 19.0.1, 19.1.2 or 19.2.1 depending on your branch.
    • For CVE-2025-55183 (info disclosure): at least 19.2.2.
    • For CVE-2025-55184 and CVE-2025-67779 (DoS, including incomplete fix in 19.2.2): update to 19.2.3.
    • In practice, aim for 19.2.3 or newer across all RSC packages to avoid a patchwork of slightly different residual risks.
  • Update Next.js: move to one of the documented fixed releases (for example 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or the respective canaries) and keep tracking the official security advisories for new patch trains.
  • Other RSC frameworks: follow vendor advisories for React Router, Waku, Redwood, Expo, etc., and apply recommended updates.
  • Rebuild & rollout: after updating, rebuild artefacts and roll out updated deployments so that old vulnerable bundles are removed from all environments (production, staging, “forgotten” test systems).

2. Hardening & temporary protections

  • WAF rules: enable React2Shell signatures from your WAF vendor and cloud platform. Some providers ship pre-defined rulesets specifically for CVE-2025-55182 and related payload formats. Treat them as a safety net while patching – not as a permanent replacement for fixes.
  • Reduce attack surface: disable unused RSC/server action endpoints; avoid exposing internal RSC functionality directly to the internet; consider segmentation between public frontends and sensitive internal systems.
  • Least privilege: keep permissions for app containers and service accounts minimal (no unnecessary access to critical backend systems, cloud control planes or credential stores).

3. Forensics & incident response

  • Review the time since the first advisory: specifically investigate the period between initial disclosure (early December) and your most recent patch rollout – even if you already applied some fixes.
  • Focus on systems where suspicious HTTP requests, new files and unusual process activity (e.g. tunnellers, backdoors, cryptominers) coincide.
  • In case of suspicion: isolate affected systems, preserve artefacts (container images, logs, memory dumps) and run structured incident response according to your playbooks – or with external DFIR support.

FAQ for customer conversations

“We use React in the frontend – are we automatically affected?”

Not necessarily. React2Shell primarily affects React Server Components on the server. Classic SPAs that run entirely in the browser and do not use an RSC server are not affected by this specific vulnerability, even though other risks may exist.

“We have already patched – are we done?”

Patching for the initial RCE (CVE-2025-55182) was an important first step, but not the end. Additional CVEs and an incomplete DoS patch in 19.2.2 mean that many environments need a second patch round to reach a solid baseline (RSC 19.2.3). It is also important to review logs for potential compromise before the patch was applied.

“Are there already active attacks?”

Yes. Security vendors report automated scanning and exploitation attempts, including actions attributed to known APT groups and crimeware actors. Observed payloads include tunnellers, full-featured backdoors and cryptocurrency miners. Organisations with internet-facing Next.js/RSC applications should prioritise log and telemetry review.

“How should we prioritise React2Shell vs. other vulnerabilities?”

Where React Server Components are exposed to the internet, React2Shell should be treated as a top priority (P1). In environments without RSC servers, the priority is lower but it should still be addressed promptly as part of regular patch management and secure software supply chain hygiene.

“Is the Next.js CVE-2025-66478 still relevant?”

No – it has been marked as a duplicate of CVE-2025-55182. In practice, this means that the same underlying RSC bug drives both the React and Next.js advisories. You should still track Next.js security releases, but focus your risk assessment on the React RSC patch levels and your actual use of server components.

“What can we tell non-technical stakeholders?”

A simple message is: “We run technology that was affected by a critical vulnerability which is now being actively exploited worldwide. We have applied updated vendor fixes, hardened exposed services and are reviewing logs for signs of compromise. We also have external experts on standby for further incident response if needed.”

How we can support you with React2Shell

As a specialised security team, we help organisations handle React2Shell in a structured, risk-based way:

  • Remote discovery & pre-assessment: identify Next.js/RSC assets and provide an initial risk picture (e.g. passive stack checks, safe remote scans).
  • Repository & build analysis: analyse dependencies, lockfiles and CI/CD pipelines to locate vulnerable versions and RSC usage – including transitive dependencies.
  • Patching & hardening: support with React/Next.js upgrades, configuration changes, WAF rules and platform hardening on cloud and on-prem.
  • Detection engineering & IR: build detection rules (SIEM, EDR, WAF) and perform forensics/IR if compromise is suspected, including containment and eradication.

Next steps for interested organisations

  1. Quick scoping: which applications use React / Next.js / modern React frameworks, and where are they exposed (internet, partner networks, internal only)?
  2. Provide basic information (tech stack, hosting, cloud/on-prem setup, logging/monitoring status, current patch levels).
  3. Jointly prioritise critical targets and plan assessment, patching and – where needed – forensic activities and attack surface reduction.

On request, we provide lightweight scripts customers can use to scan their own repositories and deployments for React2Shell exposure (for example, version checks for React RSC & Next.js, and simple heuristics for RSC endpoint discovery).