CVE-2025-55182—The React2Shell vulnerability you need to patch right now

When a vulnerability hits CVSS 10.0, it calls for more than a routine advisory. Enter, CVE-2025-55182, now widely referred to as React2Shell, the most severe vulnerability to hit the React ecosystem in years. In short, it enables unauthenticated remote code execution across millions of production environments built on React Server Components (RSC) and Next.js App Router.

Try our ReactOOPS challenge now

This issue is already being exploited by state-aligned threat groups. Proof-of-concept exploits are public, and the widespread adoption of React means the global attack surface is enormous. 

TL;DR: If you run React 19.x or Next.js 15.x/16.x and haven’t applied patches yet, your environment is in serious danger. Here’s what you need to know and do right now.

What is React2Shell?

CVE-2025-55182 is an unsafe deserialization vulnerability in React Server Components, specifically in how the React Flight Protocol handles streamed data between server and client.

Why is CVE-2025-55182 dangerous?

React processes server-to-client data in “chunks.” During deserialization, the framework resolves references between these chunks. The flaw lies in how React handles the __proto__ property during this process.

By injecting malicious chunk references, an attacker can:

• Overwrite prototype methods during deserialization

• Manipulate .then() behavior

• Trigger the JavaScript Function constructor

• Execute arbitrary code remotely and without authentication

Only a single crafted HTTP request is needed.

Affected versions

React server components

• 19.0.0 → 19.2.0

Next.js app router

• 14.x Canary Builds, 15.x, 16.x (From 16.0.0 (including) up to 16.0.7 (excluding) 

Related libraries

• react-server-dom-webpack

• react-server-dom-parcel

• react-server-dom-turbopack

How attackers are exploiting CVE-2025-55182

The timeline of React2Shell is another reminder that modern threat actors move faster than most patch cycles.

Zero-Day to mass exploitation in hours

• Nov 29, 2025: Vulnerability responsibly disclosed to React maintainers.

• Dec 3, 2025: Public disclosure and assigned CVE, alongside the vendor patch.

• Within hours: Exploitation attempts detected in AWS MadPot honeypots.

Real-world scenario: Observed attacker behavior

A China-nexus threat cluster, linked to groups such as Earth Lamia and Jackpot Panda, immediately incorporated React2Shell into their exploitation workflows.

In one observed case:

• Attacker spent nearly an hour iterating on exploit attempts

• Sent repeated malicious POST requests using headers such as:

• next-action

• rsc-action-id

• Verified access with common recon commands:

• whoami

• id

• Attempted file creation:

• /tmp/pwned.txt

Both automated scanners and manual operators are now actively abusing the flaw.

What makes CVE-2025-55182 business-critical?

1. Huge global exposure

React and Next.js underpin a huge share of modern web stacks, including enterprise applications, retail platforms, SaaS infrastructure, and government services. A full compromise of an RSC environment often means a compromise of the core application itself.

2. Low-friction, high-impact 

No memory corruption. No privilege requirements. No authentication. Just a crafted request exploiting a logic flaw in serialization. Public PoCs are available, lowering the barrier further.

3. Traditional defenses don’t cut it

Because the exploit executes during deserialization, before application-level validation runs, many WAFs fail to detect it unless specifically updated. Even then, obfuscated payloads make signature-based blocking unreliable.

4. The impact hits every layer

A successful React2Shell exploit grants attackers:

• Full server-side code execution

• Access to environment variables and cloud credentials

• Database access

• Ability to deploy ransomware or webshells

• A foothold for lateral movement

This is an incident response-level event, not a routine patch.

How to protect your environment right now

1. Apply official patches ASAP

The React and Next.js teams moved rapidly. Fixed versions include:

• React: 19.2.1+

• Next.js: 16.0.7+

If you're still unpatched, assume exposure until proven otherwise.

2. Regenerate secrets and tokens

Because attackers can access server memory and environment variables, rotate:

• API keys

• Environment variables

• Database credentials

• Cloud access tokens

3. Implement WAF and API gateway rules

Use temporary detection rules for:

• Suspicious React Flight chunk structures

• Requests containing __proto__ references

• Abnormal next-action/rsc-action-id header usage

This won’t stop every variant but will disrupt common payloads.

4. Harden RSC/Next.js deployment

Recommended practices:

• Run RSC servers with minimal privileges

• Enforce isolation between app and data layers

• Use read-only file systems where possible

• Enable strict monitoring on file write attempts in /tmp or userland directories

5. Look for indicators of compromise

Monitor for:

• Unexpected .then() behavior in logs

• Suspicious POST requests to RSC endpoints

• Creation of unexpected files (e.g., /tmp/pwned.txt)

• Shell command execution from Node processes

• Unusual outbound network traffic from app servers

How HTB is supporting analysis and mitigation

We’ve released the ReactOOPS Challenge, available for both Individual and Enterprise customers. This is a dedicated Dockerized environment running a vulnerable Next.js instance, allowing teams to safely simulate the _rsc payload injection without risking production systems.

Final thoughts on CVE-2025-55182

React2Shell is the kind of vulnerability that reshapes security priorities overnight. With widespread adoption, trivial exploitation, and active use by advanced threat groups, it’s already one of the most consequential web security stories of the year.

TAKE ON THE CHALLENGE

Patch immediately. Assume exposure if unpatched. And if you operate in a high-value environment, treat every RSC and Next.js server as potentially compromised until proven otherwise.