CVE-2025-55182

What is React Server Components?

React Server Components (RSC) is a paradigm introduced in React 19 that allows React components to run entirely on the server, fetching data and rendering HTML before sending it to the client. The RSC "Flight" protocol is the serialization layer that transports component state, data, and function references between server and client over HTTP. Frameworks built on React — including Next.js (App Router), Remix RSC, Waku, and others — implement RSC to enable modern full-stack web applications. RSC-based applications are deployed by millions of developers and underlie a significant portion of modern web infrastructure.

Overview

CVE-2025-55182 (nicknamed React2Shell by researchers) is a perfect-10 deserialization vulnerability in React's RSC Flight protocol. A remote unauthenticated attacker sends a single crafted HTTP POST to a React Server Function endpoint; the server deserializes the malicious payload and executes attacker-controlled code in the Node.js process. No authentication, session, or application key is required. Active exploitation began just two days after disclosure, with Chinese nation-state groups and Weaxor ransomware among the first actors. CISA added it to KEV on 5 December 2025 with a 7-day deadline and ransomwareUse: true.

Affected Versions

Note: Applications not using React Server Components / Server Functions are not affected. Standard React 18 and purely client-side React applications are safe.

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) is in React's RSC Flight protocol deserializer. The Flight protocol serializes component state, props, and function references into a binary-like format for HTTP transport. When a React Server Function receives a request, it deserializes the incoming Flight payload to reconstruct function arguments.

The deserializer fails to validate the types and structure of the incoming payload before executing deserialization logic. An attacker constructs a malicious Flight payload containing a serialized object that, when deserialized by the React runtime under Node.js, triggers prototype chain access or specific class instantiation that results in arbitrary code execution on the server. No application key, session token, or authentication cookie is required — the Flight endpoint is publicly accessible by design.

CVE-2025-66478 was initially tracked separately for the Next.js layer but was subsequently rejected and consolidated into CVE-2025-55182.

Discovery

Discovered by Lachlan Davidson, reported to the React Team on 29 November 2025. Public disclosure followed on 3 December 2025.

Exploitation Context

Exploitation began 2 December 2025 — just two days after disclosure. Multiple threat actor groups were observed exploiting React2Shell:

• Earth Lamia and Jackpot Panda (China-nexus APT groups): among the first actors observed exploiting the vulnerability, per AWS threat intelligence. Conducted targeted espionage against government and technology sectors.
• Weaxor ransomware group: exploited the vulnerability on 5 December 2025 to achieve initial access, dropped a Cobalt Strike beacon, disabled Windows Defender, and deployed Weaxor ransomware — all within approximately one minute of initial exploitation.
• Iranian Islamic Resistance Cyber Unit: claimed exploitation against an Israeli entity on 20 December 2025, deploying BQTLock ransomware.
• Automated coinminer campaigns: the most common payload in widespread automated attacks against internet-facing RSC applications.

CISA added CVE-2025-55182 to the KEV catalog on 5 December 2025 with a 7-day FCEB remediation deadline and ransomwareUse: true.

Remediation

1. Upgrade React immediately: React 19.0.1, 19.1.2, or 19.2.1 (matching your minor version).
2. Upgrade Next.js to 14.2.35 or later if using the App Router with Server Components or Server Functions.
3. For other RSC frameworks (Remix, Waku, React Router RSC, RedwoodSDK, etc.): check each framework's security advisory for framework-specific fixes — all require separate updates.
4. Audit internet-facing RSC deployments: scan for signs of compromise using the guidance at https://github.com/vercel-labs/fix-react2shell-next.
5. If running non-RSC React (React 18, client-side only): you are not affected — verify your app is not server-rendering with RSC.
6. Check for post-compromise indicators: unexpected Node.js child processes, new administrative accounts, outbound Cobalt Strike beacon traffic, disabled endpoint protection, or coinminer processes.
7. Apply network egress filtering to Node.js application servers to limit outbound connections to known-good destinations, reducing the impact of successful exploitation.