In this post, I’ll walk you through a a critical vulnerability in React Server Components (RSC). Tracked as CVE-2025-55182 and widely known as React2Shell, the flaw enables unauthenticated remote code execution (RCE) in applications using the React Server Components Flight protocol.

What Is CVE-2025-55182?

React Server Components rely on the Flight protocol to serialize and transmit component trees between the server and the client. Modern frameworks such as Next.js App Router, Remix (RSC), React Router RSC, Waku, and multiple bundler plugins integrate this protocol directly into production deployments.

CVE-2025-55182 is a logical deserialization vulnerability in the Flight protocol. A specially crafted Flight payload can bypass validation and reach internal execution paths that evaluate attacker-controlled input, ultimately leading to arbitrary code execution on the server.

No authentication is required. A single HTTP request is enough.

One CVE, Not Two

You may see references to CVE-2025-66478 in early reporting. This identifier was requested by Next.js to track downstream impact but was later rejected by MITRE as a duplicate.

There is only one vulnerability: CVE-2025-55182.

Active Exploitation in the Wild

Threat intelligence teams observed exploitation attempts within hours of disclosure. Activity has been linked to multiple China-nexus threat groups, including:

  1. Earth Lamia

  2. Jackpot Panda

Internet-wide scanning surged immediately after the advisory went public. In response, CISA added the vulnerability to the KEV catalog, signaling confirmed exploitation and urgent remediation requirements for federal and critical infrastructure systems.

Scanners ->

  1. https://github.com/assetnote/react2shell-scanner [Thanks to Assetnote]
  2. https://github.com/rootandbeer/react2scan/blob/main/react2scan.sh [Thanks to Robert Wright]

What You Should Do Right Now

1. Verify Exploitability

Run a safe, production-ready validation test to determine whether your environment is actually exploitable. This avoids false assumptions based on headlines alone.

2. Patch Immediately

Update React, Next.js, and any RSC-enabled frameworks to patched versions.

3. Re-test After Patching

Verification should confirm that previously exploitable execution paths are fully eliminated.

Indicators of Compromise (IoCs)

Vendor-specific IoCs remain limited, but defenders should monitor for common RCE signals:

  • Unexpected POST requests to RSC or server function endpoints

  • Errors involving malformed Flight payloads

  • Creation of unfamiliar modules or temporary files

  • Outbound network connections from application servers

  • Execution of reconnaissance commands from the server process

These indicators should be correlated with emerging threat intelligence and detection rules.

Timeline

Nov 29, 2025 - Vulnerability reported to React by researcher Lachlan Davidson

Dec 3, 2025 - React releases advisory and patches

Dec 3–4, 2025 - Public analyses confirm unauthenticated RCE and large-scale exposure

Dec 5, 2025 - Rapid Response validation testing becomes available

Dec 5, 2025 - Added to CISA Known Exploited Vulnerabilities catalog

Final Thoughts

React2Shell is a reminder that framework-level vulnerabilities carry ecosystem-level risk. When serialization logic, execution paths, and modern rendering models intersect, small logic flaws can become internet-wide security incidents.

Happy Hacking!