Introduction

A newly discovered vulnerability known as React2Shell (CVE-2025-55182) has rapidly become one of the most discussed cybersecurity threats of 2025. Security researchers from AWS, Akamai, and several vulnerability intelligence platforms have reported active exploitation attempts, with some campaigns linked to China-nexus threat actors.

If your application uses React Server Components (RSC), the Flight protocol, or modern frameworks like Next.js, you may be exposed to this vulnerability — even if you aren’t explicitly using server functions.

In this article, we break down what React2Shell is, who it affects, how the exploit works at a high level, and — most importantly — how to secure your application right now.

 

What Is React2Shell (CVE-2025-55182)?

React2Shell is a deserialization vulnerability in the React Server Components (RSC) implementation, particularly within the Flight protocol used to communicate between the server and the browser.

This flaw can enable:

• Remote Code Execution (RCE)
• Unauthorized access to server functions
• Sensitive data leakage
• Cross-application privilege escalation

React’s own advisory notes that the vulnerability stems from unsafe deserialization of server-controlled or user-influenced data, which can allow malicious payloads to be interpreted as executable instructions under specific conditions.

 

Who Is Affected by React2Shell?

React2Shell affects applications that use:

• React Server Components (RSC)
• The React Flight protocol
• Next.js App Router
• Server Actions / Server Functions (Next.js 13+)
• Third-party RSC integrations

Even if you are not knowingly using RSC, many Next.js applications implicitly include these packages.

 

How the React2Shell Exploit Works (High-Level Explanation Only)

At a conceptual level:

1. The RSC server serializes instructions using the Flight protocol
2. This output is sent to the browser
3. A vulnerability in the deserializer allows untrusted data to be interpreted as server-side instructions
4. In vulnerable builds, attackers may leverage this to cause the server to execute unintended behavior

⚠️ Note: This blog provides non-exploitative, high-level reasoning only. No exploit code, payloads, or actionable attack details are included.

 

Why React2Shell Is Dangerous

React2Shell is dangerous because it potentially enables:

• Remote code execution
• Server compromise via simple HTTP requests
• Stealthy exploitation without authentication
• Attacker-controlled rendering flows
• Mass exploitation with automated tools

Threat intelligence groups have already reported widespread scanning and probing for vulnerable endpoints.

 

How to Protect Yourself from React2Shell (CVE-2025-55182)

 

1. Update React and Next.js Immediately

React security patches have been released:

• • react-server-dom-webpack: patched
  • react-server-dom-turbopack: patched
  • react-server-dom-parcel: patched

Next.js patched versions include:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Updating is the most reliable fix.

 

2. Deploy Web Application Firewall (WAF) Rules

If you're running behind:

• • Cloudflare
  • AWS WAF
  • Akamai WAF

Enable the vendor’s React2Shell mitigation rule set, which blocks suspicious RSC traffic patterns.

 

3. Harden Your NGINX or Reverse Proxy Configuration

Add:

• • Rate limiting
  • Connection limiting
  • Slowloris protection
  • User agent filtering
  • Request throttling

This reduces the risk of mass exploitation.

 

4. Audit Your Server for Signs of Compromise

Look for:

• Unknown processes
• Recently modified files
• Suspicious NPM behavior
• Unauthorized cron jobs
• Hidden shell scripts

If exploitation is suspected, rebuild from clean images and rotate credentials.

 

How Attackers Are Exploiting React2Shell

Cyber threat intelligence groups report:

• Automated scanners targeting RSC-enabled routes
• Payloads embedded in HTTP requests
• Mass probing of Next.js deployments
• Attempts to trigger server-side execution paths

This mirrors other high-impact deserialization vulnerabilities historically seen in Java, Python, and PHP ecosystems.

 

Best Practices Going Forward

• Always pin your React & Next.js versions
• Monitor dependency advisories (GitHub Dependabot, Snyk, etc.)
• Avoid exposing debug endpoints
• Consider shifting high-risk features behind serverless or isolated execution environments
• Log all RSC and Flight-related traffic

Security for modern frontend-driven applications increasingly resembles backend security — React2Shell is a reminder of that convergence.

---

FAQ About React2Shell (CVE-2025-55182)

Is React2Shell actively exploited in the wild?

Yes — several reports from AWS, Akamai, and security researchers confirm active exploitation attempts.

 

Does this affect all React apps?

No. Only apps using Server Components or frameworks that depend on RSC.

 

Does this affect Next.js 12 or older?

No — these versions do not use RSC.

 

What is the severity?

Rated Critical because it may allow remote code execution.

 

Will WAF rules alone protect me?

They help, but patching React/Next.js is essential.

 

Conclusion

React2Shell (CVE-2025-55182) is one of the most significant frontend-framework vulnerabilities in recent years. As React and Next.js increasingly blur the line between frontend and backend, the attack surface grows — and so must our security awareness.

If your stack uses React Server Components or modern Next.js, updating and hardening your environment should be your top priority.

Staying protected doesn’t just mean patching — it means observing traffic, deploying mitigations, and building a culture of secure development.

 

 

If you have been a victim of cyber attacks, or own a business with no secure digital infrastructure, visit our partner, RhoneRisk, they help businesses in many different industries.