Critical “React2Shell” Vulnerability in React Server Components (CVE‑2025‑55182)

1. What just happened?

On December 3, 2025, the React team disclosed a critical unauthenticated Remote Code Execution (RCE)vulnerability in React Server Components / React Server Functions, tracked as CVE‑2025‑55182 and rated CVSS 10.0. The bug sits in how React decodes/deserializes payloads sent to Server Function endpoints. A malicious request can be crafted so that, when React deserializes it, the attacker gains code execution on your server.

Even if your app doesn’t explicitly define any Server Function endpoints, you may still be vulnerable as long as your framework/bundler supports React Server Components.

2. Why people are calling it “React2Shell”

Security researchers quickly nicknamed the bug React2Shell because:

• it’s framework‑level,
• requires no authentication,
• yields full server-side code execution,
• and is already being hunted at internet scale.

Same vibe as Log4Shell: easy to automate, huge blast radius.

3. Affected versions and ecosystem blast radius

The vulnerable packages are:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Impacted versions include React 19.0.x, 19.1.x, and 19.2.0 lines before patches.

Affected frameworks/bundlers include (not limited to):

• Next.js (15.x and 16.x with App Router enabled)
• React Router’s unstable RSC APIs
• Waku
• Parcel RSC plugin
• Vite RSC plugin
• RedwoodSDK (rwsdk)

If you ship RSC or Server Actions through any of these, assume exposure until proven otherwise.

4. What attackers are doing right now

AWS threat intelligence observed exploitation attempts within hours of public disclosure, primarily from China‑nexus groups such as Earth Lamia and Jackpot Panda, plus other unattributed clusters.

Two big takeaways:

1. Weaponization speed is brutal — PoCs get operationalized almost immediately.
2. Even “noisy”/half‑working PoCs still result in compromises at scale because scanning volume is enormous.

Bottom line: if you’re unpatched, you’re already being probed.

5. Immediate remediation (do this first)

Patch React / framework packages now

React shipped fixes in:

• 19.0.1
• 19.1.2
• 19.2.1

If you’re on Next.js, upgrade to the patched release for your line:

• next@15.0.5 (15.0.x)
• next@15.1.9 (15.1.x)
• next@15.2.6 (15.2.x)
• next@15.3.6 (15.3.x)
• next@15.4.8 (15.4.x)
• next@15.5.7 (15.5.x)
• next@16.0.7 (16.0.x)

If you were on Next 14 canary builds, downgrade to stable Next 14.

Temporary mitigations (not a replacement for patching)

• Enable managed WAF protections wherever possible.
• AWS WAF KnownBadInputsRuleSet v1.24+ has detection for React2Shell attempts.
• Cloud Armor users should enable Google’s CVE canary rules.

Treat these as a seatbelt, not the brakes.

6. Indicators of Compromise / Attack (React2Shell IOCs & IOAs)

Public feeds don’t yet have stable IP or hash IOCs (infra rotates fast). So the best detection right now is request‑level + behavior‑level indicators.

6.1 Network / HTTP request IOCs (high confidence)

A) Unexpected server‑action headers from the internet Flag any external request containing:

• Next-Action / next-action
• RSC action headers like RSC-Action-ID, rsc-action-id, or action-id variants

These headers normally appear only during legit Server Action calls from your app. Seeing them from random IPs/UAs is a strong exploit indicator.

B) POSTs to page routes (not your API routes) React2Shell payloads often ride POSTs to “page” URLs like:

• POST /
• POST /dashboard
• POST /products/123

…instead of POST /api/*.

C) Opaque / Flight‑style bodies with anomaly traits Look for POST bodies that are:

• binary/serialized “Flight” data
• unusually large or structured compared to normal Server Action payloads
• repeated across many routes (scanner spray)

6.2 Application log IOCs / IOAs

• Sudden spikes in 500s on POST to page routes.
• Errors such as missing/malformed action headers tied to abnormal request bursts.
• Server Actions being invoked from non‑browser UAs (curl, python-requests, Go-http-client, empty UA).

6.3 Host / runtime post‑exploitation indicators

Because this is RCE, post‑exploitation looks like generic Node‑RCE tradecraft:

A) Node spawning shell/network tools Alert if parent process is node/next and child is:

• /bin/sh, /bin/bash
• curl, wget
• nc, socat
• python, perl

B) Dropped files Hunt for new files in:

• /tmp, /var/tmp
• .next/, node_modules/.bin/, app root

C) New outbound egress

• Your frontend/SSR pods suddenly initiating outbound connections to unfamiliar ASNs / regions / high ports.

6.4 Quick hunt filters (adapt to Splunk/KQL/ELK)

CDN/WAF/LB logs

• method=POST
• headers contain next-action OR rsc-action
• path NOT starting with /api
• source UA not matching browsers

Runtime telemetry

• process tree: node → shell/net tools
• new file creation under temp or build dirs outside deployment windows
• outbound connections from SSR services that were previously quiet

7. What to do if you suspect exploitation

1. Isolate the workload (pod/VM/instance).
2. Collect evidence (logs, memory, filesystem, process lists).
3. Rotate secrets immediately (env vars, API keys, DB creds, cloud IAM tokens).
4. Rebuild from clean images after patching.
5. Run a full incident response cycle — this is RCE, treat it as high severity.

8. Closing thought

React2Shell is a big, ecosystem‑level reminder that modern web stacks are supply chains. If you’re on React 19 + RSC or on Next 15/16 App Router, patching is not optional — it’s survival.

Links - https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-exploited-vulnerability-catalog

#React2Shell #CVE202555182 #ReactServerComponents #ReactServerActions #NextJS #ReactJS #JavaScript #NodeJS #Infopercept