- Critical CVE-2025-55182 flaw in React Server Components enables unauthenticated remote code execution via unsafe deserialization.
- The issue cascades downstream to Next.js as CVE-2025-66478, with both vulnerabilities rated at maximum severity (CVSS 10).
- Default configurations are exposed, and researchers report near 100% exploit reliability across many real-world environments.
- Vendors have released guidance and patches, and organizations using React or Next.js should update and review their deployments immediately.
The disclosure of CVE-2025-55182 in React Server Components and its related impact on Next.js has quickly become one of the most discussed security stories in the web development world. The flaw exposes a critical path for attackers to achieve remote code execution on servers that rely on these hugely popular technologies.
For teams that have embraced the modern React and Next.js stack, this is not an abstract academic bug. Security researchers are warning that exploitation is both realistic and highly reliable, and that default configurations leave many production deployments unexpectedly open to attack if they are not patched quickly.
“React2Shell”: The Critical Vulnerability Rocking the Web — And Why It Matters
The vulnerability at the center of this situation, publicly tracked as CVE-2025-55182, affects the protocol behind React Server Components (RSC). Researchers have nicknamed the exploit pathway “React2Shell” to emphasize that a successful attack can move from a crafted RSC request to full shell-level access on the underlying server.
At a high level, the flaw surfaces because of unsafe deserialization of payloads provided to React Server Function endpoints. When a server component processes these specially crafted payloads, an attacker can pivot from seemingly benign data handling to arbitrary code execution without needing to authenticate.
Although the root issue lives in the React open source implementation, its influence doesn’t stop there. Next.js, which builds on top of React and is widely used for production-grade applications, inherits the problem in its handling of server-side logic. That downstream risk is cataloged separately as CVE-2025-66478, effectively broadening the blast radius across a large portion of the modern web stack.
Both CVE-2025-55182 and its Next.js counterpart have been assigned the maximum severity score of 10 under the common vulnerability scoring system. This rating reflects the combination of remote exploitability, lack of authentication requirements, and potential for complete system compromise.
What Is React2Shell — And How Does It Work?
Under the hood, React Server Components rely on a protocol where the client and server exchange serialized payloads to handle server-side rendering and logic. The core of React2Shell is that these payloads can be manipulated in a way that triggers unsafe deserialization, effectively allowing attacker-controlled input to be interpreted as executable instructions on the server.
In a typical attack scenario, an adversary crafts a malicious payload that targets a React Server Function endpoint exposed by an application. Because the vulnerability can be triggered without authenticating, the attacker only needs network access to the endpoint to attempt exploitation.
Once the malicious payload is processed, the server may deserialize it in an unsafe fashion, effectively blurring the line between data and code. This opens the door to remote code execution, giving the attacker the ability to run arbitrary commands with the permissions of the server process.
According to findings shared publicly by researchers from Wiz, the exploit path is not just theoretical. During internal experiments, they reported “high fidelity” exploitation with success rates nearing 100% in environments they tested. That level of reliability dramatically lowers the barrier for attackers and increases the urgency for defenders, como ilustran recientes casos de ataques a la cadena de suministro de npm.
What makes this especially worrying for practitioners is that the vulnerable behavior is present in default configurations. In other words, developers didn’t necessarily have to opt in to unsafe settings; many applications are exposed simply because they are using the standard, recommended stack.
Scope and Impact: Why So Many Projects Are at Risk
The technologies involved make this a particularly widespread problem. React, born at Facebook and now maintained as an open source library, underpins a huge share of modern web interfaces due to its component-based model and ecosystem. Next.js, maintained by Vercel, has become a go-to framework for building production-ready React applications with server-side rendering and API routes.
Because of this popularity, the number of affected deployments is not trivial. Wiz researchers estimated that around 40% of cloud environments they examined contained vulnerable React or Next.js instances. That snapshot suggests that the bug is not an edge case but a mainstream concern across a broad range of organizations and industries.
The practical impact of a successful exploit can be severe. Once attackers gain remote code execution through CVE-2025-55182 or the associated Next.js vulnerability, they can potentially access sensitive data, move laterally inside the environment, plant backdoors, or use compromised servers as staging points for further attacks.
Benjamin Harris, founder and CEO of watchTowr, highlighted that while public technical details are still relatively limited, the publication of patches is enough to guide determined attackers. Once they start reviewing code changes and advisory notes, it becomes significantly easier to reproduce the exploit path and weaponize it in the wild.
That dynamic — patches going public before widespread remediation — often creates a race. Organizations are now effectively competing with threat actors to deploy fixes and mitigation steps before exploit attempts ramp up.
Why React2Shell Is Especially Dangerous
A number of factors combine to make this vulnerability stand out from the usual stream of security advisories. First, the lack of authentication requirements means anonymous attackers can directly target exposed endpoints. Any publicly reachable server component endpoint immediately becomes part of the attack surface.
Second, the way the bug manifests in real-world setups leads to extremely high exploit reliability. As Wiz reported, under typical configurations the exploit path worked almost every time in their proof-of-concept scenarios, reducing the need for complex or fragile attack chains.
Third, the issue hits at the core of how React Server Components and Next.js handle server-side logic. Because the flaw is tied to the RSC protocol itself and not just a narrow edge feature, many applications inherit the risk simply by following standard patterns promoted by official documentation.
Finally, the broader ecosystem context matters. React and Next.js are deeply embedded in cloud-native and microservices architectures that power everything from small startups to large enterprises. A single compromised server component could provide an entry point into a much larger, more complex environment.
Combined, these properties explain why the vulnerabilities have both been rated at the maximum severity level and why the security community is strongly encouraging rapid patching and proactive risk assessment rather than a wait-and-see approach.
What’s Already Being Done (And What You Should Do Right Now)
Once the issue was reported through the Meta Bug Bounty program — researcher Lachlan Davidson notified the React team on November 29 — maintainers moved to investigate, fix, and coordinate disclosure. The React project and Vercel, the company behind Next.js, have now both published guidance to help users update their software.
From the vendor side, patched releases and advisory notes outline which versions are affected and how to upgrade. Organizations using React Server Components or Next.js should carefully review these documents, identify which deployments are in scope, and schedule updates as a top priority.
Given that default configurations are vulnerable, simply assuming that “custom settings” or minimal usage will offer protection is risky. Security teams should inventory all applications that rely on React Server Components or Next.js, paying special attention to publicly accessible endpoints exposed to the internet.
While applying patches is the primary step, it is also sensible to consider short-term mitigations. Restricting unnecessary public exposure of server component endpoints, tightening network access controls where possible, and enhancing monitoring for suspicious request patterns can all reduce risk while updates are being rolled out, además de revisar la gestión segura de secretos en GitHub Actions.
Organizations may also want to work closely with their development teams to review logging, incident response plans, and any signs of unusual activity around React or Next.js services, incluyendo el uso de Burp Collaborator para detectar interacciones fuera de banda.
What This Means for the Web Ecosystem — And What to Watch
The emergence of CVE-2025-55182 and its Next.js counterpart raises broader questions about how rapidly evolving web frameworks manage security in complex server-side features. React Server Components, while powerful, introduce new communication patterns and serialization logic that need rigorous scrutiny.
For the wider ecosystem, this incident is a reminder that even mature, widely adopted technologies can harbor high-impact vulnerabilities rooted in subtle implementation details. The combination of performance optimizations, developer convenience, and flexible APIs can sometimes mask deep security assumptions until they are stress-tested by researchers.
Going forward, it is likely that both the React and Next.js communities will see heightened focus on secure handling of server functions, payload serialization, and default configurations. Security-conscious organizations may also push for clearer guidance, more explicit hardening options, and expanded documentation on safe practices when building with server components.
Meanwhile, defenders should closely follow updates from official project channels, security vendors, and researchers who are continuing to analyze the vulnerability. New proofs of concept, detection rules, and best-practice recommendations are likely to appear as more experts dig into the details of React2Shell and its variants.
Ultimately, this episode underscores that keeping modern web stacks secure is an ongoing process, not a one-time setup task. As frameworks evolve, so do their potential attack surfaces, and the organizations that adapt quickly tend to fare better when critical flaws come to light.
For any team relying on React or Next.js in production, CVE-2025-55182 serves as a clear signal: treat server-side features with the same security rigor as any other critical infrastructure, stay on top of upstream advisories, and be ready to move fast when issues with this level of impact surface.
This coverage draws on information originally published by cybersecurity-focused outlets and vendor advisories, highlighting how React2Shell has rapidly moved from private report to urgent priority for organizations across the web.
