A CVSS 10.0 Vulnerability Threatening 2.15M+ Sites

On December 3, 2025, the most severe security vulnerability in React's history was publicly disclosed. Dubbed React2Shell (CVE-2025-55182), this flaw received the maximum CVSS score of 10.0 and enables unauthenticated remote code execution (RCE) through an unsafe deserialization bug in the React Server Components Flight protocol. Within hours, nation-state threat actors began active exploitation. Cloudflare observed 582.10 million attack attempts in just eight days following disclosure.

Every Next.js application using the App Router is in the blast radius, and default configurations are exploitable without any developer code changes — drawing immediate comparisons to Log4Shell.

Understanding the Attack Surface: React's Flight Protocol

React Server Components (RSC) introduced a fundamentally new architecture where components render on the server and stream results to the client. The Flight protocol handles the serialization and deserialization of data exchanged between server and client. It is precisely this deserialization layer where the critical flaw resides.

The root cause is that React's Flight protocol did not perform proper type checking on incoming serialized data. An attacker can exploit this by chaining internal gadgets to create a Promise-like object with an attacker-controlled .then property. During deserialization, these Promise-like objects are automatically resolved, triggering arbitrary JavaScript execution on the server.

In practical terms, an unauthenticated remote attacker can send a single crafted HTTP request to any Server Function endpoint. When deserialized by React, the payload loads Node.js's child_process module and executes arbitrary system commands. Testing showed near-100% exploit reliability against default configurations — no special setup or developer mistakes required.

Affected Versions and Scope

The reach of React2Shell extends across the entire RSC ecosystem.

React packages:

• react-server-dom-webpack: 19.0.0
• react-server-dom-parcel: 19.0.0, 19.1.0–19.1.1, 19.2.0
• react-server-dom-turbopack: affected 19.x versions

Next.js:

• 15.0.0 through 15.5.6
• 16.0.0 through 16.0.6
• 14.3.0-canary.77 and later canary releases

Other frameworks: Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku are all affected.

Critically, projects scaffolded with create-next-app using recommended defaults ship with App Router enabled, meaning they are vulnerable out of the box without any additional configuration.

Active Exploitation: Nation-State Threat Actors Move Fast

The severity of React2Shell became painfully clear in the hours following disclosure. According to the AWS Security Blog, China-nexus threat groups Earth Lamia and Jackpot Panda began exploitation within hours of the public announcement.

By December 12, Google's Threat Intelligence Group (GTIG) had identified multiple additional China-nexus threat clusters. UNC6595 deployed the ANGRYREBEL.LINUX malware. UNC6600 delivered the MINOCAT tunneler. UNC6603 deployed an updated version of the HISONIC backdoor — a Go-based implant that uses legitimate cloud services like Cloudflare Pages and GitLab to retrieve encrypted configurations.

Cloudflare's threat brief provides staggering scale metrics. Across December 3–11, they recorded 582.10 million hits, averaging 3.49 million requests per hour with a peak of 12.72 million in a single hour. An average of 3,598 unique IPs and up to 6,387 unique User-Agents per hour were observed, indicating attackers used diverse tooling including Nuclei scanners, custom React2ShellScanner variants, Burp Suite, and python-requests libraries.

Targets included a national authority responsible for uranium and nuclear fuel trade, government websites, academic institutions, and SSL VPN appliances. Attack traffic concentrated on the Asia-Pacific region, specifically targeting AWS and Alibaba Cloud instances. Notably, attackers excluded Chinese IP space from their scanning, suggesting deliberate operational targeting parameters.

Patching Guide: Version-by-Version Upgrade Instructions

The only definitive remediation is immediate patching. Here are the exact commands for each scenario.

Next.js Applications

# Next.js 15.x users (upgrade to nearest patched minor)
npm install next@15.5.7 react@latest react-dom@latest

# Next.js 16.x users
npm install next@16.0.7 react@latest react-dom@latest

# Next.js 14.x canary users — downgrade to stable
npm install next@14.2.35

# TypeScript users must also update types
npm install @types/react@latest @types/react-dom@latest

Patched Next.js versions include: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.

Direct React Package Usage

# react-server-dom-webpack
npm install react-server-dom-webpack@19.0.1

# react-server-dom-parcel (use version matching your React minor)
npm install react-server-dom-parcel@19.2.1

Patched React versions: 19.0.1, 19.1.2, and 19.2.1.

Don't Forget the Follow-Up CVEs

After CVE-2025-55182 was patched, three additional vulnerabilities were discovered in the RSC protocol: CVE-2025-55183 (server function source code exposure), CVE-2025-55184 (DoS via cyclic Promise references), and CVE-2025-67779. These require upgrading to React 19.0.3, 19.1.4, or 19.2.3. The React security blog post from December 11 provides full details.

Detection and Defense: A Layered Approach

While patching is the top priority, organizations that cannot immediately upgrade need layered defenses.

WAF Rules from Major Cloud Providers

All major providers have deployed managed WAF rules:

• AWS WAF: AWSManagedRulesKnownBadInputsRuleSet version 1.24+ provides automatic protection
• Google Cloud Armor: Dedicated detection and blocking rules for CVE-2025-55182
• Cloudflare: Six protective rules across free and paid tiers, all defaulting to Block action
• Vercel: Automatic WAF protection for hosted projects — but explicitly warns "do not rely on the WAF for full protection"

Monitoring for Exploitation Attempts

Watch your logs for these indicators:

# Suspicious User-Agent strings
Nuclei - CVE-2025-55182
React2ShellScanner/1.0.0

# Request headers indicating targeting
POST requests containing "next-action" or "rsc-action-id" headers

# Payload patterns characteristic of the exploit
:constructor:constructor  (deserialization chain signature)
"status":"resolved_model"
$@ serialization marker
"_prefix", "_formData", internal field references

A sudden spike in HTTP 403 responses indicates your WAF is actively blocking exploitation attempts.

Vulnerability Scanning

The open-source react2shell-scanner from Assetnote can verify whether your applications are vulnerable. It sends a crafted multipart POST request that triggers a specific error condition — vulnerable hosts return a 500 status code with E{"digest" in the response body.

Temporary Mitigation

If immediate patching is impossible: applications not heavily using App Router functionality can migrate to the Pages Router as a temporary measure. Additionally, search your codebase for the 'use server' directive to identify all Server Function endpoints and restrict access to them at the network level.

Long-Term RSC Security Practices

React2Shell has fundamentally changed how the industry thinks about RSC security. The React team's official security advisory and the Next.js security guide both emphasize treating Flight protocol endpoints as a critical attack surface.

Developers must verify that database packages and environment variables are not imported outside a Data Access Layer. Server Components run in a separate module system from Client Components specifically to prevent information leakage, but this isolation only works when developers respect the boundaries. Automated dependency update tools like Dependabot or Renovate should be configured to fast-track security patches, and all internet-facing RSC endpoints should be inventoried and monitored continuously.

Act Now

React2Shell is among the most critical web ecosystem vulnerabilities since Log4Shell. If you're running Next.js 15.x or 16.x, upgrade immediately to the latest patched version. Deploy WAF rules but don't treat them as a substitute for patching. Verify that follow-up CVEs (55183, 55184, 67779) are also addressed. Inventory every internet-facing RSC endpoint in your infrastructure. As Cloudflare emphasized in their threat brief: "network-level protection is not a substitute for remediation at the source."

Sources:

• AWS Security Blog: China-nexus threat groups exploit React2Shell
• Google Cloud Blog: Multiple Threat Actors Exploit React2Shell
• Cloudflare Threat Brief: React2Shell exploitation
• Wiz Blog: Critical Vulnerability in React
• React Official Advisory
• Vercel CVE-2025-55182 Summary
• JFrog Detection & Mitigation Guide
• Averlon: React2Shell Explained