The bug dubbed as React2Shell, comprising two CVE’s, mainly CVE-2025-55182 and CVE-2025-66478, allows remote unauthenticated users to gain code execution on servers running vulnerable versions of React RSC or Next.JS App Router via single HTTP request.
| MITRE Tactic | ID | Technique Name |
| Initial Access | T1109 | Exploit Public-Facing Application |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1505.003 | Server Software Component: Web Shell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Defense Evasion | T1070.004 | Indicator Removal on Host: File Deletion |
Next.js now powers a massive share of the modern web — millions of production sites, including many high-profile and high-traffic applications. Because of this ubiquity, the recently disclosed React Flight RCE vulnerability (CVE-2025-55182) has an exceptionally large blast radius.
Any Next.js app that uses the App Router — the default for every new project since Next.js 13 — is vulnerable out of the box if React Server Components (RSC) are enabled (they are enabled by default).
No special configuration, no hidden endpoints, and no authentication are required to exploit it. A single unauthenticated POST request to literally route in the application is enough to trigger remote code execution on the server.
At its core, the issue stems from insecure deserialization within the React Flight Protocol, the binary serialization mechanism that facilitates efficient data transfer for RSC and Server Actions between server and client. During the client-to-server “reply flow” (e.g., when invoking a Server Action), the server processes incoming Flight payloads without adequate validation.
The vulnerability manifests in the requireModule function across affected packages—react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. This function resolves module exports based on attacker-supplied identifiers (e.g., module_id#export_name). Critically, it lacks a hasOwnProperty check when accessing properties via bracket notation (obj[key]), allowing traversal of the JavaScript prototype chain. An attacker can craft a payload referencing prototype properties like __proto__ or constructor, polluting core object prototypes and ultimately invoking the Function constructor with arbitrary code.
This prototype pollution isn’t benign; it directly chains into RCE by hijacking module resolution or deserialization paths, such as altering Chunk.prototype.then resolution during blob (Binary Large Objects) handling. Both CVEs carry a perfect CVSS score of 10.0 (Critical), highlighting the ease of unauthenticated exploitation.
| Aspect | Details |
| Affected version of React | 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| Affected version of Next.JS | 15.x, 16.x, 14.3.0-canary.77 and later canary releases |
| Exploitation Vector | Network (Malformed POST request with Flight Payload to any APP Router Endpoint) |
| Requirements | RSC (React Server Components) Enabled, No Auth Required |
| Impact | Arbitrary Remote Code Execution leading to Data Breaches and Full Compromise |
Next.JS is the leading adopter of RSC and inherits the flaw seamlessly via its APP Router Implementation, leading to a vulnerable out-of-the-box version. The Flight Protocol’s role in streaming component trees and function references makes it a linchpin for Next.js’s performance edge, but this tight integration amplifies the blast radius.
Considering the blast radius, immediate action is required, with the assumption of exposure if left unpatched. Upgrade to fixed versions as below.
Above all, for interim protection Versa has released detection to add Intrusion Prevention Signatures for vulnerability.
Customers are advised to use the information below to tune their security to effectively detect any attempt to exploit vulnerability with the release of SPACK #2304.
Signature ID – 1000028410, 1000028413, 1000028414, 1000028415
[1] https://github.com/freeqaz/react2shell
[2] https://nextjs.org/blog/CVE-2025-66478
[3] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Subscribe to the Versa Blog
Trial
ROI
Contact