React2Shell RCE Flaws Put React and Next.js Apps at Severe Risk | eSecurity Planet

React2Shell RCE Flaws Put React and Next.js Apps at Severe Risk

React2Shell exposes critical flaws that let attackers run code on millions of apps.

Written By
Ken Underhill
Ken Underhill
Dec 4, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A pair of newly disclosed vulnerabilities in React and Next.js has opened the door to unauthenticated remote code execution (RCE) across millions of web applications with no special configuration or user interaction required. 

The flaws stem from a defect in React Server Components (RSC) that researchers warn could enable full server takeover in default installations.

“React2Shell is a clear example of how AI-generated ‘slop’ PoCs can flood GitHub and social feeds with non-functional exploits at the same time real functional exploits are being developed behind the scenes,” said Itai Goldman, CTO and Co-Founder at Miggo Security.

He added, “My concern is that this noise gives a false sense of comfort. If the public PoCs look broken, defenders start to assume the vulnerability is overblown — even when the underlying bug is real, broadly weaponizable, and sitting in a huge install base.”

Inside the Vulnerabilities

The root cause (CVE-2025-55182) lies in a prototype pollution flaw in React Server Components’ Flight protocol deserialization logic. 

The protocol streams React component data between server and client, and if attackers inject malicious serialized data into this stream, they can manipulate JavaScript prototypes and escalate from data tampering to full remote code execution.

Both vulnerabilities carry CVSS 10.0 scores due to unauthenticated exploitation, an HTTP-accessible remote attack surface, default vulnerability with no special configuration required, and full server compromise potential.

The vulnerability affects React’s server-side packages in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including:

  • react-server-dom-webpack
  • react-server-dom-turbopack
  • react-server-dom-parcel

Downstream, CVE-2025-66478 affects Next.js, which embeds the vulnerable RSC packages in its App Router architecture.

Ecosystems affected by the vulnerability include:

  • Next.js 14.3.0-canary.77+, all 15.x and 16.x
  • React Router RSC-enabled releases
  • Vite and Parcel RSC plugins
  • Waku, RedwoodJS, and other server component frameworks

Although proof-of-concept details are not yet publicly released due to severity, exploitation is expected to be simple once attack methods circulate.

Protecting Your Pipeline From React2Shell Exploits

Security teams should harden their CI/CD pipelines, tighten access controls, and improve monitoring across runtime environments.

  • Patch React, RSC packages, and all dependent frameworks to the latest fixed versions and use dependency pinning to prevent reintroduction of vulnerable releases.
  • Apply temporary protections such as WAF rules, increased monitoring of RSC Flight payloads, and enhanced observability around server-side rendering endpoints.
  • Enforce strict least-privilege access for service accounts, minimize exposed secrets, and rotate credentials after patching.
  • Validate and sanitize all serialized or user-supplied input, and review deserialization pathways as part of DevSecOps best practices.
  • Monitor and log runtime behavior for anomalies, including unexpected command execution, file modifications, or unusual API calls — using CI/CD gatekeeping and automated vulnerability scanning.
  • Segment RSC services from high-value systems and apply zero-trust principles to limit blast radius if exploitation occurs.

These measures help reduce the risk of RCE attacks and prevent vulnerable React Server Component workflows from becoming entry points for broader compromises.

Advertisement

Modern JS Frameworks Are Expanding the Attack Surface

React2Shell is a reminder that server-side JavaScript frameworks have become an attack vector in today’s global software supply chain. 

As the industry shifts toward server-rendered components and serialization-heavy communication models, deserialization flaws — once associated primarily with older languages like Java and PHP — are now emerging at scale within modern JS ecosystems. 

The growing adoption of React Server Components amplifies this risk, underscoring the need for rigorous hardening of server-side JavaScript and vigilant dependency monitoring. 

These trends highlight why software supply chain security must evolve to address vulnerabilities emerging from deep within modern development frameworks.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.