top of page
Search

Severe RSC Bugs in React and Next.js Enable Unauthenticated Remote Code Execution

  • Dec 4, 2025
  • 2 min read

Key Findings


  • Critical security flaw discovered in React Server Components (RSC) with a CVSS score of 10.0 (maximum severity)

  • Vulnerability allows unauthenticated remote code execution (RCE) by exploiting a deserialization issue in how React decodes payloads sent to React Server Function endpoints

  • Issue affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, as well as Next.js versions >=14.3.0-canary.77, >=15, and >=16

  • Vulnerability codenamed "React2shell" and assigned CVE-2025-55182 and CVE-2025-66478

  • Impacts a wide range of React-based frameworks and bundlers beyond just React and Next.js

  • Immediate patching is required to mitigate the critical risk


Background


The React Team recently disclosed a maximum-severity security flaw in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0 and has been codenamed "React2shell."


Vulnerability Details


The issue stems from unsafe handling of serialized payloads in the React Flight protocol. Malformed or adversarial payloads can influence server-side execution in unintended ways, leading to remote code execution. An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves execution of arbitrary JavaScript code on the server.


Affected Components


The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages:


  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack


It has been addressed in versions 19.0.1, 19.1.2, and 19.2.1.


The issue also affects Next.js using App Router, with the CVE identifier CVE-2025-66478 (CVSS score: 10.0). Patched versions are 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, and 15.0.5.


Wider Impact


The vulnerability cascades down to a wide range of React-based frameworks and bundlers, including:


  • Vite RSC plugin

  • Parcel RSC plugin

  • React Router RSC preview

  • RedwoodJS

  • Waku


Mitigation Strategies


  • Immediately upgrade to patched versions of React, Next.js, and any other affected frameworks/bundlers

  • Deploy Web Application Firewall (WAF) rules if available to monitor and block suspicious activity

  • Restrict network access to Server Function endpoints until patches can be applied


Conclusion


The discovery of this critical vulnerability in the React ecosystem highlights the need for vigilant security practices, even in widely-adopted and trusted frameworks. Prompt action is required to mitigate the significant risk posed by this flaw, which allows unauthenticated remote code execution with maximum severity. All users of affected components should prioritize applying the necessary patches as soon as possible.


Sources


  • https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

  • https://securityonline.info/catastrophic-react-flaw-cve-2025-55182-cvss-10-0-allows-unauthenticated-rce-on-next-js-and-server-components/

  • https://medium.com/@bastradamus/critical-vulnerabilities-in-react-and-next-js-security-advisory-01a3de27f1e2

  • https://www.linkedin.com/posts/davidcoombe_critical-rsc-bugs-in-react-and-nextjs-allow-activity-7402185781941088256-lgMw

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page