React2Shell: Critical RCE in React and Next.js Explained

[Update] October 1, 2024: “React2Shell Exploitation Now Confirmed in the Wild”

A new Remote Code Execution (RCE) vulnerability, widely referred to as React2Shell, has been identified in the React Server Components (RSC) ecosystem used by React 19 and frameworks such as Next.js. The issue involves critical flaws now tracked as CVE-2025-55182 and CVE-2025-66478.

Because RSC is integrated into many modern React-based stacks, some applications may be exposed even if they do not directly use Server Functions. Early assessments indicate that a notable portion of cloud environments include components running vulnerable versions.

This post aims to explain what React2Shell is, which versions and frameworks are affected, how the vulnerability works in general terms, and what steps engineering and security teams should take now.

What is React2Shell (CVE-2025-55182 & CVE-2025-66478)?

React2Shell refers to two closely related vulnerabilities that affect React Server Components (RSC) and frameworks that implement the RSC “Flight” protocol.

React2Shell enables:

• Unauthenticated remote code execution (RCE) on servers processing RSC payloads.
• Execution of attacker-controlled JavaScript during deserialization.
• Exploitation through a single crafted HTTP request, requiring no login and no special application configuration.

This behavior stems from how the RSC Flight protocol processes serialized payloads in certain versions of React and Next.js. When an attacker sends a malformed payload, the server’s deserialization logic can be influenced in ways that lead to arbitrary code execution.

In practical terms, a vulnerable app could allow an attacker to run arbitrary code on your server with a single HTTP request.

CVE-2025-55182 (React – CVSS 10.0)

This vulnerability affects the core React Server Components implementation (the react-server / RSC “Flight” protocol). It applies to the following packages:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Affected versions:

• 19.0.0
• 19.1.0
• 19.1.1
• 19.2.0

CVE-2025-66478 (Next.js – CVSS 10.0)

Next.js inherits the vulnerable RSC protocol implementation and is therefore impacted when using the App Router.

Affected versions include:

• >= 14.3.0-canary.77
• All 15.x versions before: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
• 16.x versions before 16.0.7

The Next.js team also recommends avoiding older canary releases and updating to a stable patched version.

How Does the React2Shell Vulnerability Work?

The core issue is unsafe deserialization within the RSC Flight protocol:

1. React Server Components exchange data via a custom serialization format (“Flight”).
2. Servers receiving RSC payloads deserialize these structures and invoke RSC logic.
3. In vulnerable versions, certain malformed payloads are not properly validated.
4. An attacker can modify how the server interprets deserialized values, enabling arbitrary JavaScript execution.

The attack surface is characterized by several important traits: it is unauthenticated, meaning no user credentials or active session are required; it is remote, as it can be triggered over standard HTTP(S) traffic; it can affect applications by default behavior when they use React Server Components or the Next.js App Router, even without explicitly defined Server Functions; and exploitation has shown high reliability, with near‑complete success in controlled testing.

To stay ahead of potential risks, organizations can benefit from tools that centralize vulnerability intelligence. SOCRadar’s Cyber Threat Intelligence module helps teams track new CVE disclosures, monitor changes in risk levels, and receive timely updates as vendors publish patches or advisories. This allows security teams to maintain awareness around issues like React2Shell and prioritize remediation based on real‑time intelligence rather than waiting for exploitation to appear in the wild.

Which Frameworks and Versions Are Affected Beyond Core React and Next.js?

Any framework or bundler that integrates the vulnerable RSC implementation may be affected. These include:

• Next.js (App Router)
• Vite RSC plugin
• Parcel RSC plugin
• React Router RSC preview / RSC mode
• RedwoodJS / RedwoodSDK
• Waku

Even applications that do not define Server Functions may still run through the vulnerable RSC code path due to how frameworks internally handle rendering and routing.

Apps that use React solely on the client side with no RSC usage are not expected to be impacted.

How Big is the Impact on Cloud Environments?

Early assessments from cloud and security vendors highlight:

• Roughly 39% of cloud environments contain instances running vulnerable React or Next.js versions.
• Next.js appears in a large portion of public-facing applications across these environments.
• Broader internet scans show large numbers of production servers running modern React/Next.js stacks, suggesting a significant potential attack surface.

The combination of unauthenticated exploitation, high reliability, and widespread adoption of RSC-enabled frameworks makes React2Shell a high-priority issue across the ecosystem.

Are Cloud and Edge Providers Doing Anything to Help?

Several cloud and edge vendors have introduced temporary safeguards to reduce exposure while organizations work on patching.

Cloudflare has deployed managed WAF rules designed to identify and block suspicious RSC‑related traffic patterns. Vercel, which hosts many Next.js applications, has implemented additional request‑layer validation for RSC payloads to help filter malformed inputs before they reach application servers. Major cloud providers such as AWS and Google Cloud Platform have also issued advisories encouraging rapid upgrades and providing environment‑specific guidance.

These measures can help lower near‑term risk, but they should be viewed as temporary safeguards rather than replacements for applying the official patches.

How Can I Check if My Applications Are Vulnerable?

Follow these steps for a quick initial assessment:

1. Inventory RSC usage

• Look for react-server-dom-* packages in manifests or lockfiles.
• Identify which services use the Next.js App Router.

2. Compare your versions with known vulnerable ranges

• React RSC packages: vulnerable in 19.0.0–19.2.0; patched starting at 19.0.1 / 19.1.2 / 19.2.1.
• Next.js: vulnerable in affected 14.3.0-canary, 15.x, and 16.x ranges; patched in 16.0.7 and the corresponding fixed 15.x releases.

3. Check transitive dependencies

• Use SCA or dependency scanners to detect indirect inclusion of react-server components.

4. Consider hosting provider defaults

• Platforms that optimize for RSC (for example, managed Next.js hosting) may enable RSC routes automatically.

React2Shell Exploitation Now Confirmed in the Wild

Following the initial disclosure of CVE-2025-55182, multiple security intelligence sources have now confirmed active exploitation of React2Shell, shifting the vulnerability from a high-risk theoretical concern to a fully operational threat.

According to new reporting from AWS, exploitation attempts began within hours of public release, with China-nexus groups such as Earth Lamia and Jackpot Panda targeting vulnerable environments observed through AWS’s MadPot honeypot infrastructure. These early attacks range from automated reconnaissance to hands-on refinement, with threat actors testing various payloads, validating command execution, and attempting file writes or credential access.

What Current Exploitation Activity Looks Like: Patterns & Exposure

Independent visibility from GreyNoise shows widespread automated exploitation traffic, dominated by scripted tooling and infrastructure linked to botnets and scanning frameworks. Attackers are relying on PowerShell-based “proof-of-execution” arithmetic commands, encoded stagers, and AMSI-bypass primitives – patterns consistent with commodity exploitation kits. GreyNoise has also observed early signs of this CVE being folded into Mirai and other botnet exploitation modules, suggesting that opportunistic campaigns are already scaling.

Global exposure data further illustrates the breadth of the issue. According to Censys, approximately 2.15 million internet-facing services may be affected across React Server Components and RSC-enabled frameworks.

Moreover, Shadowserver initially identified 77,664 vulnerable IPs on December 5 and still counted 28,964 on December 7, with notable concentrations in the U.S., Germany, and China. Meanwhile, Palo Alto Networks Unit 42 has confirmed compromises at more than 30 organizations, with some activity aligning with UNC5174.

CISA Adds CVE-2025-55182 to the KEV Catalog

In recognition of the confirmed exploitation and the severity of the vulnerability, CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring U.S. federal civilian agencies to remediate the issue by December 26, 2025. This designation signals to all organizations that immediate patching and strengthened detection measures are now essential.

React2Shell Used in Active RondoDox Botnet Campaign

Cybersecurity researchers have confirmed that React2Shell (CVE-2025-55182) is being actively exploited as part of a large-scale botnet operation known as RondoDox.

According to findings, the campaign has been active for roughly nine months and targets vulnerable IoT devices and web applications, using React2Shell as an initial access vector since December 2025.

Despite prior warnings, exposure remains high. Data from the Shadowserver Foundation indicates that more than 90,000 instances were still vulnerable as of December 31, 2025, with the majority located in the United States.

RondoDox has evolved steadily since early 2025, expanding its toolkit to include multiple N-day vulnerabilities and automated deployment mechanisms. Recent attacks show a focus on vulnerable Next.js servers, where threat actors deploy crypto miners, botnet loaders, and Mirai-based payloads while actively removing competing malware.

Organizations are advised to patch React and Next.js immediately, isolate IoT devices, and strengthen monitoring and network defenses to reduce exposure to ongoing exploitation.

What Should Engineering and Security Teams Do Right Now?

Apply patched versions (the only complete fix):

• React RSC packages 19.0.1 / 19.1.2 / 19.2.1 or later.
• Next.js 16.0.7 or the latest patched 15.x release.
• Updated versions of RSC-enabled plugins and frameworks.

While patching is in progress, use temporary risk-reduction measures:

• Restrict access to RSC or Server Function endpoints using network controls.
• Enable WAF rules that detect malformed or suspicious RSC payloads.
• Increase logging and monitoring of RSC-related traffic.

These steps help reduce exposure but do not replace patching.

Validate the environment after patching:

• Re-run SCA and vulnerability scans.
• Confirm that no outdated RSC integrations or transitive dependencies remain.
• Ensure team templates and build images are updated with patched versions.

SOCRadar, as an Extended Threat Intelligence (XTI) platform, helps organizations gain unified visibility into vulnerabilities, threat actor activity, attack surface exposures, and emerging risks. Through modules such as Attack Surface Management, Dark Web Monitoring, and extensive threat intelligence insights, SOCRadar supports teams in identifying which issues are most relevant to their environment, tracking developments as they evolve, and strengthening their overall security posture.