HQ/EMEAFind out how we can help your business
React and Next.js are affected by a critical unauthenticated Remote Code Execution (RCE) vulnerability collectively known as React2Shell, tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js). This vulnerability carries a maximum CVSS score of 10.0 (Critical) and allows attackers to execute arbitrary commands on vulnerable servers without authentication.
The flaw exists in React Server Components (RSC) and impacts modern server-rendered React applications, particularly those built using Next.js 15.x and 16.x. The vulnerability is actively being exploited, so patching should be treated as an emergency.
Vulnerability Details
CVE IDs:
CVE-2025-55182 (React Server Components)
CVE-2025-66478 (Next.js Implementation)
CVSS Score: 10.0 (Critical)
CVSS Vector: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact: Full Server Compromise (RCE)
Disclosure Date: December 3, 2025
Vulnerability Type: Insecure Deserialization / Unsafe Server Action Processing
CWE: CWE-502 (Deserialization of Untrusted Data)
The Problem
React Server Components use a server-client communication mechanism that improperly validates serialized data sent from the client. Due to missing validation and unsafe deserialization, attackers can craft malicious requests that can:
- Bypass security controls
- Inject executable payloads
- Achieve remote command execution on the server
In Next.js, this vulnerability manifests in the App Router / RSC pipeline, making many default Next.js deployments exploitable without any special configuration.
What’s Affected
Vulnerable React Packages
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
| Affected Versions | Fixed Versions |
|---|---|
| React 19.0.0 | React 19.0.1+ |
| React 19.1.0 | React 19.1.2+ |
| React 19.1.1 | React 19.1.2+ |
| React 19.2.0 | React 19.1.2+ |
Next.js
| Affected Versions | Fixed Versions |
|---|---|
| Next.js 15.x | 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 |
| Next.js 16.x | 16.0.7 |
| Next.js 14.3.0-canary.77 and later canary releases | 15.6.0-canary.58 (for 15.x canary releases) 16.1.0-canary.12 (for 16.x canary releases) |
How React2Shell Works
React2Shell exploits the way React Server Components (RSC) communicate between the browser and the server. RSC uses a serialized “React Flight” protocol to request and render components dynamically. In vulnerable versions of React and Next.js, the server does not properly validate these serialized payloads.
This allows an attacker to:
- Send a crafted RSC request to a public-facing React/Next.js endpoint
- Inject malicious serialized data that the server incorrectly trusts
- Trigger unsafe deserialization and execution of server actions
- Execute arbitrary system-level commands and take full control of the server
Because RSC is enabled by default in many Next.js 15.x and 16.x deployments, this vulnerability becomes exploitable in real-world production systems without requiring any special configuration.
Why This Matters
This vulnerability is considered extremely dangerous for several reasons:
- No authentication required
- Network-accessible
- Full remote code execution
- Actively exploited in the wild
- Mass adoption of React and Next.js
Given the widespread use of React and Next.js across SaaS, fintech, e-commerce, and enterprise platforms, this vulnerability represents a global-scale risk.
What You Should Do Right Now
- Patch Immediately: Upgrade React, RSC packages, and Next.js to the fixed versions.
- Locate Public-Facing Applications: Identify which external services use React Server Components or unpatched Next.js versions.
- Review Server Logs: Look for suspicious POST requests, malformed RSC payloads, or unusual child processes.
- Rotate Secrets: Rotate API keys, tokens, and environment variables on previously vulnerable systems
Temporary Protection
These controls are supplementary and do not replace patching.
- Web Application Firewall (WAF): Block malformed RSC payloads and unusual POST patterns.
- Network Access Controls: Restrict access to application endpoints using IP allow-listing where possible.
- Runtime Security Monitoring: Detect abnormal process spawning or outbound network connections.
What to Watch For (Indicators of Exploitation)
- High CPU usage or cryptominer-like behavior
- Strange outbound connections to unknown hosts
- Modified application files or deployment pipelines
- Requests with abnormal serialized payload structures
Timeline
- Early December 2025: Vulnerability disclosed
- Same Week: Public exploitation observed
- Following Days: Emergency patches released for React and Next.js
- Current Status: Actively exploited in the wild
Recommendations
Based on our analysis, we recommend:
- Apply Security Patches Immediately
- Full attack surface review for React & Next.js assets
- Validate Patch Deployment
- Enable Continuous Attack Surface Monitoring
Final Note
CVE-2025-55182 (React2Shell) and CVE-2025-66478 (Next.js) represent one of the most severe vulnerabilities ever disclosed in the modern JavaScript ecosystem. With a CVSS score of 10.0, unauthenticated RCE, and confirmed exploitation, this is an emergency-level threat for all organizations using server-side React.
Delay in patching significantly increases the risk of full infrastructure compromise.
About iZOOlogic
iZOOlogic provides a powerful Attack Surface Management (ASM) platform that helps organizations discover, monitor, and secure their external digital assets. We continuously identify exposed systems, detect vulnerabilities, and deliver timely alerts so security teams can fix risks before they are exploited. With real-time visibility and actionable insights, iZOOlogic helps reduce security risk and improve response time.
