Security Crisis: The "React2shell" Exploit—Why Your Server is in IMMEDIATE DANGER

Hello everyone. I am here to talk about a very bad, very serious thing that is happening right now in the world of web programming. If you use React Server Components (RSC) or the popular framework Next.js, you must listen.

A critical security flaw, which security people are calling "React2shell," has been found. This is not a small problem. It has the maximum possible severity score: CVSS 10.0. This exploit is like finding a "master key" to your server. An attacker, even without any account or password, can send a simple, specially made request over the internet and then run their own code on your server. This is Remote Code Execution (RCE), and it is the worst kind of vulnerability.

This is a true emergency. We have seen proof-of-concept (PoC) exploits circulating very fast, and sadly, security researchers are reporting that state-sponsored hacking groups and other bad actors are already trying to use this against live websites. You must act now!

What Exactly is "React2shell" (CVE-2025-55182)?

This big problem is tracked officially as CVE-2025-55182. The name "React2shell" comes from the fact that it can give an attacker a remote shell—a command line—on your server.

The root of the issue is in the React Flight protocol, which is what React Server Components use to communicate between the server and the client browser. When the server gets data, it has to convert the text stream back into a usable object. This process is called deserialization.

• The Problem: The vulnerable versions of React have a flaw in how they handle this deserialization. It is an example of insecure deserialization.
• The Result: An attacker crafts a malicious payload—a sneaky piece of data—and sends it in an HTTP request. The vulnerable server component tries to process this data, and because of the flaw, the malicious data manages to influence the server's execution logic.
• The Final Step: This leads to the server running arbitrary, privileged JavaScript code on your machine. This could be anything: stealing your users' data, installing malware or ransomware, or using your server to attack other systems.

Security experts have confirmed that this exploit is reliable and works on applications using default configurations. You do not need to be using a specific "server function" for your application to be at risk—just having the vulnerable packages in your project is enough.

Who is Affected? The Danger Zone

If you use React Server Components, you are likely in the danger zone. Specifically, the following projects and versions are affected:

React Core Packages

The vulnerability is in the react-server-dom-* packages that handle the Flight protocol.

• Vulnerable Versions: All versions of React 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
• This affects react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

Next.js Framework

Next.js is most famous for its use of React Server Components, especially with the newer App Router.

• Vulnerable Versions (Next.js):
• Important Note: The older Pages Router in Next.js is generally not affected unless you have manually configured RSC. However, if you are using the App Router, you are vulnerable. Next.js tracks this as a related advisory, CVE-2025-66478.

Other Frameworks

Any other framework or tool that bundles or implements the vulnerable React Flight protocol packages is also at risk. This includes frameworks like Waku and tools like the Vite RSC plugin and RedwoodSDK.

IMMEDIATE Action: How to Patch Your Systems!

Because this vulnerability is being actively exploited in the wild—right now!—you cannot wait. This is a five-alarm fire. The only true fix is to upgrade immediately to a patched version.

1. Update React

If you are only using the core React packages, you must update to a patched version:

• Upgrade to:

2. Update Next.js

Next.js users need to upgrade to the latest patched version in their specific release line.

• Upgrade to:

Vercel, the company behind Next.js, has even provided an easy utility to help people:

• You can run npx fix-react2shell-next in your terminal to launch a tool that will try to check your versions and help you update automatically.

3. Interim Protections (If You Cannot Patch Right Now)

If you are a very large organization and patching is slow, these are temporary measures only. They do not replace the patch:

• Web Application Firewall (WAF): Deploy WAF rules to look for and block suspicious request patterns in HTTP traffic that are trying to execute the exploit.
• Monitor Logs: Look for Indicators of Compromise (IOCs), which are strange behaviors in your server logs. This includes unexpected process execution (like whoami or id commands) or attempts to read sensitive files like /etc/passwd.
• Restrict Network Egress: Prevent your web server from making connections to the outside internet, which can block an attacker from downloading their full malware payload (a reverse shell).

Conclusion: Security is a Continuous Process

I know this news is scary. A CVSS 10.0 vulnerability in such a popular technology is a major shock for the whole developer community. This "React2shell" exploit shows us that even the most trusted and widely used libraries can have deep, severe flaws.

The speed with which security researchers and the developers at Meta and Vercel acted is commendable. They released patches very quickly after the vulnerability was discovered.

But the speed of the attackers is even more frightening. Threat actors are automated, they are smart, and they are using this exploit immediately. You must treat this as a critical emergency. Do not assume you are safe because you are a small company or because your application does not seem important. If your server is running a vulnerable version, it is a target.

Please, check your versions today. Patch your systems now. Protect your data, your users, and your infrastructure. Security is not a finished product; it is a continuous race.