Full Report
A vulnerability in the React Server Components (RSC) implementation has been discovered that could allow for remote code execution. Specifically, it could allow for unauthenticated remote code execution on affected servers. The issue stems from unsafe deserialization of RSC “Flight” protocol payloads, enabling an attacker to send a crafted request that triggers execution of code on the server. This is now being called, “React2Shell” by security researchers.
Analysis Summary
# Vulnerability: React2Shell - Unauthenticated RCE via Unsafe Deserialization in RSC
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: Not explicitly provided, but described as a **critical** vulnerability allowing unauthenticated RCE.
- CWE: Unsafe Deserialization (Inferred)
## Affected Systems
- Products: React Server Components (RSC), Next.js
- Versions:
- React Server Components: All versions prior to React 19.0.1, 19.1.2, and 19.2.1
- Next.js 15.x: All versions prior to the patched 15.x release
- Next.js 16.x: All versions prior to the patched 16.x release
- Configurations: Any frameworks or tools that bundle the vulnerable React Server Components versions.
## Vulnerability Description
The vulnerability, nicknamed "React2Shell," resides in the React Server Components (RSC) implementation, specifically related to the handling of the "Flight" protocol payloads. The flaw stems from **unsafe deserialization** of attacker-controlled data within the RSC request/response handling process. An unauthenticated attacker can send a specially crafted HTTP request containing malicious serialized Flight data, forcing the server to deserialize arbitrary objects and subsequently execute arbitrary code.
## Exploitation
- Status: **Exploited in the wild** (Reported by Chinese threat actor groups)
- Complexity: Low (Implied, as it is unauthenticated remote code execution)
- Attack Vector: Network (Remote unauthenticated access required)
## Impact
- Confidentiality: High (Code execution capability implies potential data exfiltration)
- Integrity: High (Code execution capability implies ability to modify system state or data)
- Availability: High (Code execution capability can lead to system compromise or shutdown)
## Remediation
### Patches
Immediate application of updates provided by React is necessary. Specific patched versions mentioned, although version numbers for fixed React releases are implied by the fixed versions of dependent frameworks:
- React: Versions **19.0.1, 19.1.2, and 19.2.1 or later** are likely the fixed versions.
- Next.js 15.x: Apply the patched 15.x release.
- Next.js 16.x: Apply the patched 16.x release.
### Workarounds
No explicit workarounds are detailed in the provided text beyond immediate patching. General defensive measures are recommended (see Detection/Mitigation).
## Detection
- Indicators of Compromise: Exploitation involves sending specially crafted RSC "Flight" protocol payloads via HTTP requests. Successful exploitation results in remote code execution (RCE).
- Detection methods and tools: Establish and perform automated vulnerability scans (authenticated and unauthenticated) quarterly or more frequently. Monitor network traffic for abnormal or suspicious RSC Flight protocol payloads attempting to trigger deserialization (context-specific rule creation recommended).
## References
- Vendor Advisory (React): hxxps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- CVE Record: hxxps://www.cve.org/CVERecord?id=CVE-2025-55182
- Amazon Security Advisory: hxxps://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- HackerNews Report: hxxps://thehackernews.com/2025/12/chinese-hackers-have-started-exploiting.html