Why React2Shell matters now

React2Shell (CVE-2025-55182) is an unsafe deserialization flaw in the React Flight protocol used by React Server Components, enabling pre‑authentication remote code execution with a CVSS 10.0 score, the highest possible severity rating.

Within hours of public disclosure on December 3, 2025, threat groups began mass‑scanning and exploiting vulnerable apps, targeting cloud workloads, CI/CD environments, and internet‑exposed Next.js deployments at scale.

In 2025, patch windows are measured in hours, not weeks—React2Shell is a textbook example of how fast modern supply‑chain vulnerabilities go from disclosure to active exploitation.

React2Shell abuses how React Server Components serialize and deserialize data through the Flight protocol, letting an attacker craft malicious JSON payloads that trigger a gadget chain and end in arbitrary code execution on the server.

The flaw lives in the react-server-dom-* packages, including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, which are pulled in transitively by frameworks like Next.js when App Router and React Server Components are enabled.

Why it is so dangerous

• Pre‑auth RCE over HTTP: Attackers only need network access to your app and do not require valid credentials to gain code execution, which makes internet‑facing apps especially attractive targets.
• Default‑config exposure: Many apps are vulnerable simply because they run affected React and Next.js versions with server components enabled, even if no custom server actions are defined.
• Easy weaponization: Public proof‑of‑concept exploits and automated scanners started circulating shortly after disclosure, lowering the skill barrier for widespread exploitation.

React2Shell impacts React 19 Server Components and frameworks that embed them, with vulnerable chains centering on specific react-server-dom-* versions used in production builds.

For Next.js, the risk primarily affects apps using the App Router on certain 15.x and 16.x releases, as well as late 14.x canary builds, while Pages Router apps and Edge Runtime workloads are not impacted by this specific issue.

Key affected components

• React Server Components: React 19.x RSC implementations using vulnerable Flight protocol serialization paths.
• Next.js core: Next.js 15 and 16 App Router apps prior to patched releases, along with some 14.x canary versions where server components were enabled early.
• Third‑party RSC frameworks: Any framework that integrates React Server Components via react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack without the patched versions.

Security telemetry shows mass‑scanning campaigns using rotating user‑agents, fake PoCs, and automated payloads that chain React2Shell with other server‑side flaws to maximize impact on cloud‑hosted workloads.

Successful intrusions often drop backdoors, attempt to exfiltrate SSH keys and cloud credentials, and pivot into Kubernetes clusters or CI/CD pipelines, turning a single vulnerable Next.js service into a full environment compromise.

Common attacker goals

• Initial foothold in cloud: Use RCE to run reconnaissance commands like whoami, id, and read sensitive files such as /etc/passwd or cloud config directories.
• Credential harvesting: Target private SSH keys, .aws/credentials, .kube/config, and other configuration files for lateral movement and long‑term persistence.
• Backdoor deployment: Fetch and execute implants like Sliver‑based payloads or custom Linux backdoors that maintain command‑and‑control access over compromised servers.

The most reliable way to assess exposure is to inspect your deployed versions of next, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in your lockfile or production container images.

On Vercel, affected projects surface a dashboard banner when production deployments run vulnerable versions of these packages, but you should treat this only as a helpful signal, not a replacement for direct dependency checks.

Practical remediation steps

• Use the official Next.js fixer: Run npx fix-react2shell-next in your project root to upgrade Next.js and its React Server Components dependencies to patched versions, then redeploy after tests pass.
• Manually pin patched versions: If you manage dependencies by hand, ensure that your next and react-server-dom-* packages match the latest security‑patched releases listed in your framework's advisory.
• Rotate secrets after patching: For apps that were exposed during the active exploitation window, rotate environment variables, API keys, and cloud credentials to limit the blast radius of a potential compromise.

React2Shell is a reminder that server‑side React logic is part of your critical attack surface, so treating framework upgrades as security updates—rather than nice‑to‑have feature bumps—is now essential for any production team.

Combining timely patching with defense‑in‑depth controls such as WAF rules, least‑privilege IAM, runtime monitoring, and secret scanning significantly reduces the chance that the next RCE chain will lead to a full‑scale breach.

Security best practices for your stack

• Automate dependency hygiene: Wire Dependabot, Renovate, or Vercel Agent to open pull requests when security‑relevant React and Next.js updates ship, and review them on a fixed weekly cadence.
• Segment and restrict cloud access: Run Next.js servers with minimal IAM permissions, isolated networks, and scoped service accounts so that a single RCE does not automatically unlock your entire cloud estate.
• Add runtime visibility: Deploy security tooling that can detect suspicious process activity, outbound connections, and unexpected file reads from your Node.js and React workloads in real time.
• Educate the team: Make vulnerability advisories like React2Shell part of your regular engineering briefings so developers treat security bulletins as part of normal sprint planning, not one‑off emergencies.