React2Shell: Critical RCE in React Server Components (CVE-2025-55182 & CVE-2025-66478)
React2Shell: Critical RCE in React Server Components (CVE-2025-55182 & CVE-2025-66478)
A simple, practical guide to the React Server Components RCE bug — what it is, how to safely check for it, and how to fix it.
What it is
React2Shell is a critical bug in React Server Components (RSC) and Next.js. A single crafted HTTP request can make the server run an attacker's code — no login, no clicks needed.
- CVE-2025-55182 — the React Server Components flaw
- CVE-2025-66478 — the same flaw as it appears in Next.js
- Severity: CVSS 10.0 (the maximum)
- Disclosed: December 3, 2025
- Status: Exploited in the wild since Dec 5, 2025 (mostly coin miners)
If your app uses React Server Components or Next.js, assume you're affected until you've patched.
Why it matters
- It's unauthenticated — anyone on the internet can try it.
- It leads straight to remote code execution on your server.
- React and Next.js run a huge part of the web, so the impact is massive.
- You can be vulnerable even if you never wrote a Server Function yourself.
How it works (in plain terms)
- Your server accepts requests containing serialized data (React's internal format for server calls).
- The server rebuilds objects from that data.
- A crafted payload tricks the rebuilder into reaching JavaScript's function constructor.
- That lets the attacker run their own code on your server.
In one line:
The root cause: the deserializer trusted the incoming data too much.
Affected versions
| Package / Framework | Affected | Fixed |
|---|---|---|
react-server-dom-webpack / parcel / turbopack | 19.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| Next.js | Multiple release lines | See Next.js advisory (e.g. 14.2.35, 15.5.10, 16.1.5) |
Also affected: React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, Redwood SDK — because they include the vulnerable React packages.
How to check if you're vulnerable (safely)
Use the Assetnote React2Shell Scanner — a detection tool that confirms the bug without harming the target.
How it detects: the default check sends a harmless math operation; a vulnerable server computes it and reflects the result back in an X-Action-Redirect response header. The --safe-check flag instead uses an error-pattern side channel and runs no code on the target.
Only scan systems you own or are authorized to test.
How to detect attacks
Watch for:
- POST requests with bodies containing
constructor/_formData/ Flight markers - The
Next-Actionheader on suspicious POSTs - Odd
X-Action-Redirectresponse headers (a scanner/PoC fingerprint) - Node spawning shells or
curl/wget, or new outbound connections to mining pools
Simple log check:
How to fix it
Patching is the only real fix. WAF rules only buy time.
Don't forget transitive dependencies:
Also recommended: run Node with least privilege, add egress filtering, and keep a vendor WAF rule as a temporary stopgap.
Quick summary
- React2Shell (CVE-2025-55182 / CVE-2025-66478) is a CVSS 10.0 unauthenticated RCE in React Server Components and Next.js.
- It's actively exploited — patch now, don't wait.
- Scan safely with the Assetnote React2Shell Scanner, then upgrade React/Next.js (including transitive packages).
SEO essentials
- Title: React2Shell Explained: CVE-2025-55182 & CVE-2025-66478 RCE in React Server Components
- Meta description: What React2Shell (CVE-2025-55182 & CVE-2025-66478) is, how to safely scan for it with the Assetnote React2Shell Scanner, and how to detect and patch this CVSS 10.0 RCE in React and Next.js.
- Slug:
react2shell-cve-2025-55182-66478 - Tags: CVE-2025-55182, CVE-2025-66478, React2Shell, React Server Components, Next.js Security, Remote Code Execution, Bug Bounty, Web Application Security
- References: React advisory (react.dev), Next.js security blog, Microsoft Security Blog (React2Shell), Assetnote React2Shell Scanner, NVD / CVE.org
For educational and defensive use only. Test only systems you own or are authorized to assess.
Tags
Keep Reading